sudo open() ? (python newbee question)

Christos TZOTZIOY Georgiou tzot at sil-tec.gr
Tue Jun 14 15:18:19 CEST 2005


On 14 Jun 2005 08:12:17 -0400, rumours say that Dan Sommers
<me at privacy.net> might have written:

>On Tue, 14 Jun 2005 11:52:13 +0200,
>Denis WERNERT <penguin_archer at yahoo.com> wrote:
>
>> The script could be SUID Root, and you could use os.setuid immediately
>> after having performed the task to switch to a non-priviledged
>> user. May be a big security risk, if someone can alter the script, he
>> gains root access to the system...

>I am *not* advocating suid scripts, and *ESPECIALLY NOT* suid Python
>programs, but if a user can modify an unwriteable suid script owned by
>root in a an unwriteable directory, then they already have root access
>to the system (unless there's' a kernel or filesystem bug, in which case
>all bets are off anyway).

I believe that the suid bit on scripts (either *sh or python) is
completely ignored on most *nix systems.

Try this in a shell (bash or ksh) as a sudo-capable user:

echo hello >/tmp/tmp
sudo chown root /tmp/tmp
sudo chmod 600 /tmp/tmp
cat >/tmp/ax.py <<@
#!/usr/bin/env python
x = open("/tmp/tmp", "w")
x.write("there")
x.close()
@
sudo chown root /tmp/ax.py
sudo chmod a=rx,u+s /tmp/ax.py
ls -l /tmp/ax.py /tmp/tmp
/tmp/ax.py

I get:

-r-sr-xr-x  1 root users 75 2005-06-14 16:15 /tmp/ax.py
-rw-------  1 root users  6 2005-06-14 16:15 /tmp/tmp
Traceback (most recent call last):
  File "/tmp/ax.py", line 2, in ?
    x = open("/tmp/tmp", "w")
IOError: [Errno 13] Permission denied: '/tmp/tmp'

-- 
TZOTZIOY, I speak England very best.
"Be strict when sending and tolerant when receiving." (from RFC1958)
I really should keep that in mind when talking with people, actually...



More information about the Python-list mailing list