|
Home > Archive > Unix questions > February 2006 > setuid script insecure dependency error
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
setuid script insecure dependency error
|
|
|
|
Hi,
I am using a setuid script. Inside the script I need to get a path
from a user defined environment variable and then append the executable
to that path and then issue the system command to execute it.
I won't know the path beforehand so I cannot use regular expression to
"untaint" it.
Any advise regarding how to get around it?
Thanks,
CT
| |
| Jay C. James 2006-02-26, 10:17 am |
| "ct" <ctsang213@gmail.com> wrote in message
news:1140565343.837097.121240@o13g2000cwo.googlegroups.com...
>
> Hi,
>
> I am using a setuid script. Inside the script I need to get a path
> from a user defined environment variable and then append the executable
> to that path and then issue the system command to execute it.
>
> I won't know the path beforehand so I cannot use regular expression to
> "untaint" it.
>
> Any advise regarding how to get around it?
>
> Thanks,
> CT
>
Personally I wouldnt recommend writing a SETUID script that allowed an
external,
potentially end user modifiable variable to drive its further execution.
This could be subverted to easily create a SETUID shell, or process,
creating a
bit of a risk to your system 
If you -must- have a SETUID script, then it may suit you to use the shell
built-ins to
validate the path using conditional if statements. If you dont know the path
beforehand,
perhaps you can narrow it down to a few choices, thereby eliminating
everything else?
That would be better than going in completely blind, opening up yourself to
taintable input.
jcj
|
|
|
|
|