[Eug-lug] Linux- Mac OS X file exchange: This sounds right

Allen Brown abrown at peak.org
Tue Aug 1 11:13:49 PDT 2006 

Bob Miller wrote:
> Allen Brown wrote:
> 
> 
>>It is tempting to also use nosuid, but there is a warning on
>>the mount page.
>>  nosuid Do  not allow set-user-identifier or set-group-identifier
>>         bits to take effect. (This seems safe,  but  is  in  fact
>>         rather unsafe if you have suidperl(1) installed.)
>>
>>What the heck is that?  I don't seem to have it installed,
>>but this makes me nervous because I wouldn't necessarily
>>notice if it came in along with a bunch of other stuff
>>in an apt-get.
> 
> 
> /usr/bin/suidperl part of the perl package.  It's a set-uid program,
> usually installed setuid root, that invokes perl, used to change uid
> on setuid scripts when the kernel doesn't do that.
> 
> An evildoer could...
> 
>    On his own box, create a floppy/CD/flash ext2 filesystem and put
>    evilscript on it setuid root.
> 
>    On your box, with normal user privs, he inserts and mounts the
>    device which you've marked with user,nosuid in /etc/fstab.
> 
>    The evildoer runs his script.  The kernel invokes perl but does not
>    set uid (because the fs is mounted nosuid).  Perl sees the setuid
>    bit, execs suidperl.  suidperl sees the setuid bit, changes its
>    effective uid to the file's owner (root), and execs perl.  Perl,
>    now running as root, executes the script, and hilarity ensues.
> 
> Many distros ship without suidperl.  Gentoo has a USE flag to enable
> it which defaults to off.  Ubuntu ships with suidperl, but it doesn't
> have the setuid bit set.  Those are the distros I have handy just now.
> 
> That's probably more information than you wanted...

Not at all.  I'm glad to hear it.

It does make me wonder why suidperl wasn't killed long ago.
And it seems like the warning on the mount page is poorly
worded since it implies that setting nosuid *opens* the hole
exploited by suidperl.  What is more accurate is that suidperl
*reopens* the hole that nosuid closed.

So nosuid is a good thing.  But you also must forbid suidperl.
-- 
Allen Brown  abrown at peak.org  http://www.peak.org/~abrown/
   You can lead a horticulture but you can't make her think. ---Dorothy 
Parker

More information about the EUGLUG mailing list