| 1 | ?RCS: $Id$ |
| 2 | ?RCS: |
| 3 | ?RCS: Copyright (c) 1991-1997, 2004-2006, Raphael Manfredi |
| 4 | ?RCS: |
| 5 | ?RCS: You may redistribute only under the terms of the Artistic License, |
| 6 | ?RCS: as specified in the README file that comes with the distribution. |
| 7 | ?RCS: You may reuse parts of this distribution only within the terms of |
| 8 | ?RCS: that same Artistic License; a copy of which may be found at the root |
| 9 | ?RCS: of the source tree for dist 4.0. |
| 10 | ?RCS: |
| 11 | ?RCS: Tye McQueen <tye@metronet.com> added safe setuid script checks. |
| 12 | ?RCS: |
| 13 | ?RCS: $Log: d_dosuid.U,v $ |
| 14 | ?RCS: Revision 3.0.1.2 1997/02/28 15:33:03 ram |
| 15 | ?RCS: patch61: moved unit to TOP via a ?Y: layout directive |
| 16 | ?RCS: patch61: tell them /dev/fd is not about floppy disks |
| 17 | ?RCS: |
| 18 | ?RCS: Revision 3.0.1.1 1994/10/29 16:12:08 ram |
| 19 | ?RCS: patch36: added checks for secure setuid scripts (Tye McQueen) |
| 20 | ?RCS: |
| 21 | ?RCS: Revision 3.0 1993/08/18 12:05:55 ram |
| 22 | ?RCS: Baseline for dist 3.0 netwide release. |
| 23 | ?RCS: |
| 24 | ?MAKE:d_dosuid d_suidsafe: cat contains ls rm test Myread Setvar \ |
| 25 | Oldconfig Guess package hint |
| 26 | ?MAKE: -pick add $@ %< |
| 27 | ?S:d_suidsafe: |
| 28 | ?S: This variable conditionally defines SETUID_SCRIPTS_ARE_SECURE_NOW |
| 29 | ?S: if setuid scripts can be secure. This test looks in /dev/fd/. |
| 30 | ?S:. |
| 31 | ?S:d_dosuid: |
| 32 | ?S: This variable conditionally defines the symbol DOSUID, which |
| 33 | ?S: tells the C program that it should insert setuid emulation code |
| 34 | ?S: on hosts which have setuid #! scripts disabled. |
| 35 | ?S:. |
| 36 | ?C:SETUID_SCRIPTS_ARE_SECURE_NOW: |
| 37 | ?C: This symbol, if defined, indicates that the bug that prevents |
| 38 | ?C: setuid scripts from being secure is not present in this kernel. |
| 39 | ?C:. |
| 40 | ?C:DOSUID: |
| 41 | ?C: This symbol, if defined, indicates that the C program should |
| 42 | ?C: check the script that it is executing for setuid/setgid bits, and |
| 43 | ?C: attempt to emulate setuid/setgid on systems that have disabled |
| 44 | ?C: setuid #! scripts because the kernel can't do it securely. |
| 45 | ?C: It is up to the package designer to make sure that this emulation |
| 46 | ?C: is done securely. Among other things, it should do an fstat on |
| 47 | ?C: the script it just opened to make sure it really is a setuid/setgid |
| 48 | ?C: script, it should make sure the arguments passed correspond exactly |
| 49 | ?C: to the argument on the #! line, and it should not trust any |
| 50 | ?C: subprocesses to which it must pass the filename rather than the |
| 51 | ?C: file descriptor of the script to be executed. |
| 52 | ?C:. |
| 53 | ?H:#$d_suidsafe SETUID_SCRIPTS_ARE_SECURE_NOW /**/ |
| 54 | ?H:#$d_dosuid DOSUID /**/ |
| 55 | ?H:. |
| 56 | ?Y:TOP |
| 57 | ?F:!reflect |
| 58 | ?LINT: set d_suidsafe |
| 59 | ?LINT: set d_dosuid |
| 60 | : see if setuid scripts can be secure |
| 61 | $cat <<EOM |
| 62 | |
| 63 | Some kernels have a bug that prevents setuid #! scripts from being |
| 64 | secure. Some sites have disabled setuid #! scripts because of this. |
| 65 | |
| 66 | First let's decide if your kernel supports secure setuid #! scripts. |
| 67 | (If setuid #! scripts would be secure but have been disabled anyway, |
| 68 | don't say that they are secure if asked.) |
| 69 | |
| 70 | EOM |
| 71 | |
| 72 | val="$undef" |
| 73 | if $test -d /dev/fd; then |
| 74 | echo "#!$ls" >reflect |
| 75 | chmod +x,u+s reflect |
| 76 | ./reflect >flect 2>&1 |
| 77 | if $contains "/dev/fd" flect >/dev/null; then |
| 78 | echo "Congratulations, your kernel has secure setuid scripts!" >&4 |
| 79 | val="$define" |
| 80 | else |
| 81 | $cat <<EOM |
| 82 | If you are not sure if they are secure, I can check but I'll need a |
| 83 | username and password different from the one you are using right now. |
| 84 | If you don't have such a username or don't want me to test, simply |
| 85 | enter 'none'. |
| 86 | |
| 87 | EOM |
| 88 | rp='Other username to test security of setuid scripts with?' |
| 89 | dflt='none' |
| 90 | . ./myread |
| 91 | case "$ans" in |
| 92 | n|none) |
| 93 | case "$d_suidsafe" in |
| 94 | '') echo "I'll assume setuid scripts are *not* secure." >&4 |
| 95 | dflt=n;; |
| 96 | "$undef") |
| 97 | echo "Well, the $hint value is *not* secure." >&4 |
| 98 | dflt=n;; |
| 99 | *) echo "Well, the $hint value *is* secure." >&4 |
| 100 | dflt=y;; |
| 101 | esac |
| 102 | ;; |
| 103 | *) |
| 104 | $rm -f reflect flect |
| 105 | echo "#!$ls" >reflect |
| 106 | chmod +x,u+s reflect |
| 107 | echo >flect |
| 108 | chmod a+w flect |
| 109 | echo '"su" will (probably) prompt you for '"$ans's password." |
| 110 | su $ans -c './reflect >flect' |
| 111 | if $contains "/dev/fd" flect >/dev/null; then |
| 112 | echo "Okay, it looks like setuid scripts are secure." >&4 |
| 113 | dflt=y |
| 114 | else |
| 115 | echo "I don't think setuid scripts are secure." >&4 |
| 116 | dflt=n |
| 117 | fi |
| 118 | ;; |
| 119 | esac |
| 120 | rp='Does your kernel have *secure* setuid scripts?' |
| 121 | . ./myread |
| 122 | case "$ans" in |
| 123 | [yY]*) val="$define";; |
| 124 | *) val="$undef";; |
| 125 | esac |
| 126 | fi |
| 127 | else |
| 128 | echo "I don't think setuid scripts are secure (no /dev/fd directory)." >&4 |
| 129 | echo "(That's for file descriptors, not floppy disks.)" |
| 130 | val="$undef" |
| 131 | fi |
| 132 | set d_suidsafe |
| 133 | eval $setvar |
| 134 | |
| 135 | $rm -f reflect flect |
| 136 | |
| 137 | : now see if they want to do setuid emulation |
| 138 | echo " " |
| 139 | val="$undef" |
| 140 | case "$d_suidsafe" in |
| 141 | "$define") |
| 142 | val="$undef" |
| 143 | echo "No need to emulate SUID scripts since they are secure here." >& 4 |
| 144 | ;; |
| 145 | *) |
| 146 | $cat <<EOM |
| 147 | Some systems have disabled setuid scripts, especially systems where |
| 148 | setuid scripts cannot be secure. On systems where setuid scripts have |
| 149 | been disabled, the setuid/setgid bits on scripts are currently |
| 150 | useless. It is possible for $package to detect those bits and emulate |
| 151 | setuid/setgid in a secure fashion. This emulation will only work if |
| 152 | setuid scripts have been disabled in your kernel. |
| 153 | |
| 154 | EOM |
| 155 | case "$d_dosuid" in |
| 156 | "$define") dflt=y ;; |
| 157 | *) dflt=n ;; |
| 158 | esac |
| 159 | rp="Do you want to do setuid/setgid emulation?" |
| 160 | . ./myread |
| 161 | case "$ans" in |
| 162 | [yY]*) val="$define";; |
| 163 | *) val="$undef";; |
| 164 | esac |
| 165 | ;; |
| 166 | esac |
| 167 | set d_dosuid |
| 168 | eval $setvar |
| 169 | |