Re: writing logs in a file that needs root previlages
- From: Maxwell Lol <nospam@xxxxxxxxxxx>
- Date: Sun, 06 Jun 2010 20:36:59 -0400
Rahul <nospam@xxxxxxxxxxxxxx> writes:
Thanks! The only secure solution seems a setuid and unfortunately C seems
the only way to do that. Too bad that bash scripts aren't allowed to do a
previlage escalation for the log writing part. I wonder why though? Is bash
in some way less secure than C?
The real problem with set UID scripts is that the kernel has to do three steps:
1) Open the file, find the name of the engine (bash) and start the
engine.
2) Set the UID
3) Open the file read it into the engine.
Between 1 and 3, it is possible to change the contents of the script
file. While it seems hard, I can create a series of symbolic links
(hundreds) that point to the script. I then execute the setuid script,
and if I change one of the symbolic links, I can point to a new file
and gain priviledges.
Solaris allows setuid shell scripts. The Bourne shell has a special
flag that passes the contents of the script as a file descriptor,
instead of passing a file name.
.
- References:
- writing logs in a file that needs root previlages
- From: Rahul
- Re: writing logs in a file that needs root previlages
- From: Robert Riches
- Re: writing logs in a file that needs root previlages
- From: Maxwell Lol
- Re: writing logs in a file that needs root previlages
- From: Denis McMahon
- Re: writing logs in a file that needs root previlages
- From: Maxwell Lol
- Re: writing logs in a file that needs root previlages
- From: Rahul
- writing logs in a file that needs root previlages
- Prev by Date: Re: writing logs in a file that needs root previlages
- Next by Date: Re: How do I tar to another computer?
- Previous by thread: Re: writing logs in a file that needs root previlages
- Next by thread: Strange problems with socket back-connection - ECONNREFUSED error
- Index(es):
Relevant Pages
|
