为什么我的setuid root的Bash shell脚本不工作? [英] Why do my setuid root bash shell scripts not work?
问题描述
我创造了这个简单的脚本来允许用户删除由Web服务器在他的家目录下创建文件,而不给他苏。这两个脚本都设置有搭配chmod 4750。
最疯狂的事情是,他们没有工作,现在他们不这样做。这里的脚本:
#!/斌/庆典#询问目录中删除
回声输入文件,或者你想删除的目录,假设路径为/ home /用户读取目录RM -rf / home / user中/$目录回声删除/ home / user中/ $目录...退出0
2
#!/斌/庆典#重置权限
回声重置的/ home / user的用户内容的所有权。CHOWN -R用户的/ home /用户退出0
我会让他们更先进一点和工作为多个用户但现在我甚至不能简单的版本工作。当作为当然的root身份运行它的工作原理。它使用时的用户'用户'运行工作,但现在没有。我得到这样的:
用户@开发:/ home / user的$ delete.sh
输入文件或目录,你想删除,假设路径为/ home /用户/ [您输入]
测试DIR
RM:不能删除/ home / user中/测试DIR /测试文件':权限被拒绝
删除/ home / user中/测试目录,可...
和
CHOWN:改变/ home / user中/测试目录的所有权:不允许操作
什么都不可能是问题?
-rwsr-X --- 1 root用户291 11月6日05:23 delete.sh
-rwsr-X --- 1 root用户177 11月6日05:45 perms.sh
有一个pretty COM prehansive在<一个答案href=\"http://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts\">http://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts
底线是,有两个要点反对:
- 当内核打开文件来寻找其中除preTER就应该执行,当间preTER打开文件来读剧本之间的竞争条件。
- 这执行没有适当的检查,许多外部程序Shell脚本可以被愚弄,执行错误的程序(例如,使用恶意PATH),或扩大在一个破碎的方式变量(例如具有变量值空格),一般有少关于如何做好外部程序,控制其执行处理输入。
历史上,有一个著名的bug在原来的Bourne shell(至少在4.2BSD,这是我看到这个动作),它允许任何人创建一个名为符号链接获得互动的root shell -i 来一个suid的shell脚本。这可能是导致被禁止原触发。
I created this simple script to allow the user to remove files created by the web server in his home directory without giving him "su". Both scripts are set with "chmod 4750".
The craziest thing is that they DID work and now they don't. Here's the scripts:
#!/bin/bash
# Ask for directory to delete
echo "Enter the file or directory you would like to delete, the assumed path is /home/user"
read DIRECTORY
rm -rf /home/user/"$DIRECTORY"
echo "Deleting /home/user/$DIRECTORY ..."
exit 0
2:
#!/bin/bash
# Reset permissions
echo "Resetting the ownership of the contents of /home/user to user."
chown -R user /home/user
exit 0
I will make them a little more advanced and work for multiple users but right now I cannot even get the simple version to work. It works when run as root of course. It used to work when run as user 'user' but now it doesn't. I get this:
user@dev:/home/user$ delete.sh
Enter the file or directory you would like to delete, the assumed path is /home/user/[your input]
test-dir
rm: cannot remove ‘/home/user/test-dir/test-file’: Permission denied
Deleting /home/user/test-dir ...
and
chown: changing ownership of ‘/home/user/test-dir’: Operation not permitted
What can possibly be the problem?
-rwsr-x--- 1 root user 291 Nov 6 05:23 delete.sh
-rwsr-x--- 1 root user 177 Nov 6 05:45 perms.sh
There is a pretty comprehansive answer at http://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts
Bottom line is that there are two main points against it:
- A race condition between when the Kernel opens the file to find which interpreter it should execute and when the interpreter opens the file to read the script.
- Shell scripts which execute many external programs without proper checks can be fooled into executing the wrong program (e.g. using malicious PATH), or expand variables in a broken way (e.g. having white space in variable values), and generally it has less control on how well the external programs it executes handle the input.
Historically, there was a famous bug in the original Bourne shell (at least on 4.2BSD, which is where I saw this in action) which allowed anyone to get interactive root shell by creating a symlink called -i to a suid shell script. That's possibly the original trigger for this being prohibited.
这篇关于为什么我的setuid root的Bash shell脚本不工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
