From: Roland Besserer<roland@motorola.com>
Subject: Re: Guile scripts and setuid bit -> trouble
Date: 10 Jan 2005 16:03:48 -0800 [thread overview]
Message-ID: <opcbrbwkf17.fsf@kanaha.am.mot.com> (raw)
In-Reply-To: <20050110081618.GA15094@www>
Naturally, I'm aware of the inherent security issues but they are not a
concern in this case (isolated machine, etc.).
The script is used to modify a simple text file which has -rw-------
permissions and is owned by a separate user and group and the script
is uid root.
With the script perms -rwxr-xr-x and the test file set to -rw-rw-rw-
everything works fine. If I limit the permissions on the text file and
setuid the script (-rwsr-xr-x) I get the error.
It does work as expected on OSX (guile 1.6.4), so this appears to be
Solaris specific. This is Solaris 8/9 by the way. Turns out that sh
scripts also fail to run as setuid, but they don't give any parse errors,
they just run with the real uid.
I know there is a file system option (nosuid) but all my file system are
mounted with the enable option (uid).
roland
p.s. By the way, I found that the guile-1.6.4 build on OSX does not support
the Posix user information calls like (cuserid).
<tomas@fabula.de> writes:
> On Thu, Jan 06, 2005 at 04:26:25PM -0800, Roland Besserer wrote:
> >
> > Hi,
> >
> > I am having an issue running guile scripts on a Solaris 9 machine.
> > The script starts with the usual:
> >
> > #!/usr/local/bin/guile \
> > -e main -s
> > !#
> [...]
> > ERROR: Unbound variable: !#
>
> hi,
>
> don't know about Solaris -- but note that setuid *scripts* are
> special. Done naively they are inherently insecure. Different
> systems have different approaches to cope with that. Linux, for
> example, just ignores the setuid bit on scripts (you can do
> setuid Perl scripts, but that involves some suidperl black magic,
> having a setuid Perl interpreter as one of its tasty ingredients,
> yummm...). Maybe Solaris is passing an already-open file descriptor
> to the shell (i.e. guile), on which the first line is ``read-off'',
> so poor guile doesn't get the hash-bang at the beginning?
>
> What happens if you append a backslash to the second line? What if
> you change the last one to ``#! !#'' (looks funny, right ;-)
>
> Regards
> -- tomás
_______________________________________________
Guile-user mailing list
Guile-user@gnu.org
http://lists.gnu.org/mailman/listinfo/guile-user
next prev parent reply other threads:[~2005-01-11 0:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-07 0:26 Guile scripts and setuid bit -> trouble Roland Besserer
2005-01-08 2:08 ` Andy Wingo
2005-01-09 7:11 ` Paul Jarc
2005-01-10 8:16 ` tomas
2005-01-11 0:03 ` Roland Besserer [this message]
2005-01-11 9:06 ` tomas
2005-01-12 0:48 ` Kevin Ryde
2005-01-11 1:08 ` Roland Besserer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=opcbrbwkf17.fsf@kanaha.am.mot.com \
--to=roland@motorola.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).