[英]Is this a safe suid/capability wrapper for (Python) scripts?
(Note: I've Linux in mind, but the problem may apply on other platforms.) (注意:我考虑过Linux,但该问题可能适用于其他平台。)
Problem: Linux doesn't do suid on #! 问题: Linux在#上不执行suid! scripts nor does it activate “Linux capabilities” on them.
脚本也不会激活脚本上的“ Linux功能”。
Why dow we have this problem? 为什么我们有这个问题? Because during the kernel interpreter setup to run the script, an attacker may have replaced that file.
因为在内核解释程序安装过程中运行脚本,所以攻击者可能已替换了该文件。 How?
怎么样? The formerly trusted suid/capability-enabled script file may be in a directory he has control over (eg can delete the not-owned trusted file, or the file is actually a symbolic link he owns).
以前受信任的启用suid /功能的脚本文件可以位于他可以控制的目录中(例如可以删除不拥有的受信任文件,或者该文件实际上是他拥有的符号链接)。
Proper solution: make the kernel allow suid/cap scripts if: a) it is clear that the caller has no power over the script file -or- like a couple of other operating systems do b) pass the script as /dev/fd/x, referring to the originally kernel-opened trusted file. 正确的解决方案:在以下情况下,使内核允许suid / cap脚本:a)很明显,调用者无法控制脚本文件-或-像其他几个操作系统一样,b)将脚本作为/ dev / fd /传递x,指最初由内核打开的受信任文件。
Answer I'm looking for: for kernels which can't do this (all Linux), I need a safe “now” solution. 我正在寻找答案:对于无法做到这一点的内核(所有Linux),我需要一个安全的“现在”解决方案。
What do I have in mind? 我有什么想法 A binary wrapper, which does what the kernel does not, in a safe way.
二进制包装程序,以安全的方式执行内核不执行的操作。
I would like to 我想要
Problems with sudo : sudo is not a good wrapper, because it doesn't help the kernel to not fall for that just explained “script got replaced” trap (“man sudo” under caveats says so). sudo的问题 :sudo并不是一个很好的包装器,因为它不能帮助内核避免因为刚才解释的“脚本被替换”陷阱(注意事项下的“ man sudo”这样说)而崩溃。
basename script.py .py
, or argument -o basename script.py .py
或参数-o A bunch of notes and warnings may be printed by suid_capability_wrapper to educate the user about: suid_capability_wrapper可能会打印大量注释和警告,以使用户了解以下内容:
You don't want to use a shebang at all , on any file - you want to use a binary which invokes the Python interpreter, then tells it to start the script file for which you asked. 你不想使用认领所有,任何文件-你想用它调用Python解释器的二进制,然后告诉它开始为您问的脚本文件。
It needs to do three things: 它需要做三件事:
This will give you a binary which will execute all owned-by-root-and-suid scripts under Python only . 这将为您提供一个二进制文件,该二进制文件将仅在Python下执行所有由root和suid拥有的脚本。 You only need one such program, not one per script.
您只需要一个这样的程序,而不需要每个脚本一个。 It's your "suidpythonrunner".
这是您的“ suidpythonrunner”。
As you surmised, you must clear the environment before running Python. 如您所料,您必须在运行Python之前清除环境。
LD_LIBRARY_PATH
is taken care of by the kernel, but PYTHONPATH
could be deadly. LD_LIBRARY_PATH
由内核处理,但是PYTHONPATH
可能是致命的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.