Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

perl executes mode 0 argument passed script when called through sudo, security hole?

by Don Coyote (Monk)
on Nov 10, 2013 at 19:56 UTC ( #1061922=perlquestion: print w/ replies, xml ) Need Help??
Don Coyote has asked for the wisdom of the Perl Monks concerning the following question:

This may not be a perl specific thing. But I was not sure and thought best to mention in case. I call a chmod 0 script by itself and by perl in my user shell (bash). And fails as expected. I set-uid and still fails which I think is right as mode is 4000.

Now I set mode back to 0 and pass the script in as an argument to perl, in my user environment this fails, but under sudo the script executes.

I am not sure but is this working properly? being mode 0 I would have thought the script would not be executable whether or not set-uid. I have included most of my dabbling for reference, the interesting calls are closer to the bottom of the script.

$ login Ubuntu LTS 10.04.4 263 updates avaliable 238 are security updates hilarious@hilarious-desktop:~/Documents$ perl -v This is perl, v5.10.1 (*) built for x86_64-linux-gnu-thread-multi hilarious@hilarious-desktop:~/Documents$ mkdir ./messin $ cd ./messin $ touch ./hmm $ ls hmm $ ls -l ./hmm -rw------- 1 hilarious hilarious 0 2013-11-10 17:36 ./hmm $ chmod 0200 ./hmm $ ls -l ./hmm --w------- 1 hilarious hilarious 0 2013-11-10 17:36 ./hmm $ emacs ./hmm $ emacs -nw ./hmm $ emacs -nw ./hmm $ chmod 0000 ./hmm $ ls -l ./hmm ---------- 1 hilarious hilarious 0 2013-11-10 17:36 ./hmm $ emacs -nw ./hmm $ chmod 0200 ./hmm $ chmod 0400 ./hmm $ emacs -nw ./hmm $ chmod 0600 ./hmm $ emacs -nw ./hmm $ ls -l ./hmm -rw------- 1 hilarious hilarious 92 2013-11-10 17:57 ./hmm $ ./hmm bash: ./hmm: Permission denied $ sudo ./hmm [sudo] password for hilarious: sudo: ./hmm: command not found $ su hilarious Password: Warning: your password will expire in 4 days $ who am i hilarious pts/1 2013-11-10 17:35 (:0.0) $ ./hmm Can't open perl script "./hmm": Permission denied $ chmod 5 ./hmm $ ./hmm bash: ./hmm: Permission denied $ ls -l ./hmm -------r-x 1 hilarious hilarious 92 2013-11-10 17:57 ./hmm $ chmod 500 ./hmm $ ./hmm hello world! $ chmod 005 ./hmm $ ./hmm bash: ./hmm: Permission denied $ sudo ./hmm hello world! $ who am i hilarious pts/1 2013-11-10 17:35 (:0.0) $ sudo who am i hilarious pts/1 2013-11-10 17:35 (:0.0) $ cmod 007 ./hmm No command 'cmod' found, did you mean: Command 'qmod' from package 'gridengine-client' (universe) Command 'chmod' from package 'coreutils' (main) Command 'mod' from package 'monodoc-base' (main) cmod: command not found $ chmod 007 ./hmm $ emacs -nw ./hmm $ ./hmm bash: ./hmm: Permission denied $ sudo ./hmm hello world! $ chmod 0 ./hmm $ sudo ./hmm sudo: ./hmm: command not found $ sudo perl ./hmm hello world! $ perl ./hmm Can't open perl script "./hmm": Permission denied $ ls -l ./hmm ---------- 1 hilarious hilarious 92 2013-11-10 17:57 ./hmm $ chmod 4000 ./hmm $ ./hmm bash: ./hmm: Permission denied $ perl ./hmm Can't open perl script "./hmm": Permission denied $ sudo perl ./hmm Args must match #! line at ./hmm line 1. $ sudo perl -l ./hmm Effective UID cannot exec script $ sudo chmod 0 ./hmm $ sudo perl ./hmm hello world!

Comment on perl executes mode 0 argument passed script when called through sudo, security hole?
Download Code
Re: perl executes mode 0 argument passed script when called through sudo, security hole?
by DrHyde (Prior) on Nov 11, 2013 at 11:47 UTC

    Compare what happens with a shell script either being executed directly or as an argument to /bin/sh:

    $ cat script.sh #!/bin/sh echo it ran $ ls -l ---------- 1 david david 22 2013-11-11 11:38 script.sh $ ./script.sh bash: ./script.sh: Permission denied $ sh ./script.sh bash: script.sh: Permission denied

    and as root ...

    # ./script.sh -su: ./script.sh: Permission denied # sh script.sh it ran

    Now, obviously you don't have permission to do anything with the script if you are an ordinary user, so everything happens as you expect.

    However, if you are root, then things get a bit more complicated. When you attempt to execute something using the magic '#!' line, the system only looks for that if the file is marked as being executable by you. Even if you're root, if none of the 'x' bits are set then it won't execute like this

    But if you provide the script's name as an argument to an interpreter yourself, then the system looks to see if the interpreter (/bin/sh, or /usr/bin/perl, for example) has an 'x' bit set that applies to you. If it does, then the interpreter gets executed. It looks at its arguments, finds a filename, checks to see if the file is readable and then does its thang with it. Note that if you're root, a file with mode 0 is still readable, so the interpreter successfully opens it, reads the contents, and executes them.

    So no, this isn't a security hole. It's just an artifact of what the 'execute' permission bits mean and how they are interpreted.

      Thank you for explaining this Dr Hyde. I know from what I have read, there are numerous ways to execute a script on a system which does not interpret the magic #! line. Your explanation does help to understand these incantations more clearer. I think understanding root can read mode 0 files is the main point. Otherwise, how would you access an nt file, which does not have permissions, after you mounted an ntfs?

      For clarification I opened the mode 0 file passed as an argument to emacs whilst in sudo. Surely enough I could read, but not write, to the buffer. :smile

      #!/usr/bin/perl -l use warnings; use strict; my $var = 'hello world!'; print $var; exit 0;

      And while passing this script in with the -l option did not cause problems, placing a -T at the end of the she-bang line still made perl complain about the command line lacking the taint mode flag, naturally.


      perl -e 'chmod 10000' ./coyote_ears

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1061922]
Approved by Old_Gray_Bear
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (5)
As of 2014-10-25 03:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (141 votes), past polls