Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: perl executes mode 0 argument passed script when called through sudo, security hole?

by DrHyde (Prior)
on Nov 11, 2013 at 11:47 UTC ( #1061981=note: print w/replies, xml ) Need Help??


in reply to perl executes mode 0 argument passed script when called through sudo, security hole?

Compare what happens with a shell script either being executed directly or as an argument to /bin/sh:

$ cat script.sh #!/bin/sh echo it ran $ ls -l ---------- 1 david david 22 2013-11-11 11:38 script.sh $ ./script.sh bash: ./script.sh: Permission denied $ sh ./script.sh bash: script.sh: Permission denied

and as root ...

# ./script.sh -su: ./script.sh: Permission denied # sh script.sh it ran

Now, obviously you don't have permission to do anything with the script if you are an ordinary user, so everything happens as you expect.

However, if you are root, then things get a bit more complicated. When you attempt to execute something using the magic '#!' line, the system only looks for that if the file is marked as being executable by you. Even if you're root, if none of the 'x' bits are set then it won't execute like this

But if you provide the script's name as an argument to an interpreter yourself, then the system looks to see if the interpreter (/bin/sh, or /usr/bin/perl, for example) has an 'x' bit set that applies to you. If it does, then the interpreter gets executed. It looks at its arguments, finds a filename, checks to see if the file is readable and then does its thang with it. Note that if you're root, a file with mode 0 is still readable, so the interpreter successfully opens it, reads the contents, and executes them.

So no, this isn't a security hole. It's just an artifact of what the 'execute' permission bits mean and how they are interpreted.

  • Comment on Re: perl executes mode 0 argument passed script when called through sudo, security hole?
  • Select or Download Code

Replies are listed 'Best First'.
Re^2: perl executes mode 0 argument passed script when called through sudo, security hole?
by Don Coyote (Friar) on Nov 11, 2013 at 21:59 UTC

    Thank you for explaining this Dr Hyde. I know from what I have read, there are numerous ways to execute a script on a system which does not interpret the magic #! line. Your explanation does help to understand these incantations more clearer. I think understanding root can read mode 0 files is the main point. Otherwise, how would you access an nt file, which does not have permissions, after you mounted an ntfs?

    For clarification I opened the mode 0 file passed as an argument to emacs whilst in sudo. Surely enough I could read, but not write, to the buffer. :smile

    #!/usr/bin/perl -l use warnings; use strict; my $var = 'hello world!'; print $var; exit 0;

    And while passing this script in with the -l option did not cause problems, placing a -T at the end of the she-bang line still made perl complain about the command line lacking the taint mode flag, naturally.


    perl -e 'chmod 10000' ./coyote_ears

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1061981]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (7)
As of 2019-07-23 12:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    If you were the first to set foot on the Moon, what would be your epigram?






    Results (25 votes). Check out past polls.

    Notices?