From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzdrum.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id k7VDOCo3032736 for ; Thu, 31 Aug 2006 09:24:12 -0400 Received: from mx1.redhat.com (jazzdrum.ncsc.mil [144.51.5.7]) by jazzdrum.ncsc.mil (8.12.10/8.12.10) with ESMTP id k7VDNYi7013996 for ; Thu, 31 Aug 2006 13:23:35 GMT Subject: Re: type transitioning script race condition? From: Karl MacMillan To: Joshua Brindle Cc: russell@coker.com.au, Klaus Weidner , selinux@tycho.nsa.gov, Stephan Mueller In-Reply-To: <44F6539E.7090800@gentoo.org> References: <20060830223937.GB12307@w-m-p.com> <200608310918.03263.russell@coker.com.au> <44F6539E.7090800@gentoo.org> Content-Type: text/plain Date: Thu, 31 Aug 2006 09:23:52 -0400 Message-Id: <1157030632.3106.7.camel@localhost.localdomain> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wed, 2006-08-30 at 23:12 -0400, Joshua Brindle wrote: > Russell Coker wrote: > > >On Thursday 31 August 2006 08:39, Klaus Weidner wrote: > > > > > >>This sounds as if it suffers from the well known race condition that > >>makes setuid shell scripts a bad idea - is there any protection in place > >>to prevent users from exploiting the race condition to run code of their > >>own choice in the new domain? > >> > >> > > > >Correct. As long as the script is run in a domain that has less privileges > >than the calling code this isn't a problem. If running a script causes a > >transition to a more privileged domain then that's a policy bug. > > > > > > > this happens quite a bit, including our own selinux management script > semanage. In addition to the race condition (that is not fixable on > Linux AFAIK) there are other environmental contamination issues, > > There are some plans to fix the environmental contamination issues using > a wrapper that cleanses the environment ala atsecure but the race is not > fixable as far as I know. > If you write a C program that wrapper both issues should be greatly mitigated because you are no longer gaining privilege on the script execution - see http://svn.python.org/view/python/trunk/Misc/setuid-prog.c?rev=11583&view=auto. I've been meaning to do this for semanage for a while but haven't gotten to it yet. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.