-
Notifications
You must be signed in to change notification settings - Fork 0
/
suid.conf
89 lines (87 loc) · 4.09 KB
/
suid.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Sample /etc/suid.conf
#
# This Works is placed under the terms of the Copyright Less License,
# see file COPYRIGHT.CLL. USE AT OWN RISK, ABSOLUTELY NO WARRANTY.
#
# Empty lines and lines starting with # are ignored
# All other lines mostly conform to /etc/passwd format:
#
## command:pw:user:group:minmax:dir:/path/to/binary:args..
#
# For escaping binary/args which contain ':' see below
#
# "command": this must be given to "suid" as first argument.
# "pw": must be empty for now
# "user" and "group" are:
# - "" (empty): Effective UID/GID is used
# - "*": UID/GID of the calling user is used
# - "=": GID from the USER entry is used
# - "num": UID/GID
# - "name": Username/Groupname is used
# "minmax" are flags:
# - "C": argv[0] is taken from suid cmd name (default: as given)
# - "D": debugging to stderr
# - "F": argv[0] is file name of real exec'd file
# - "I": insecure operation (do not check exec'd file permission)
# - "N": argv[0] is taken from the first arg, rest are normal args
# - "R": argv[0] is real path of real exec'd file
# - "S": disable shellshock prevention (allows env starting with '() {')
# - "T": disable setsid(). Enables abuse of TIOCSTI, see CVE-2016-2779
# - "W": leak FD of the file/script to the file/script (allows Shebang)
# - "num": minimum number of args from commandline, optional, default 0
# - "-num": maximum number of args, if "num" missing unlimited, defaults to min
# "dir": optional directory, if not set (empty) directory is not changed
# - "." uses the HOME of the user as directory
# "/path/to/binary": command to execute
# - this can be prefixed by optional list of modifiers like "suid" or "root", see below.
# - to stay compatible to future versions of suid, "commands" must contain at least one "/"
# ":args..": optional list of preset arguments, separated by ':'. Can be left away.
# - Commandline arguments are added to the end of this list, if "minmax" permits.
#
# Modifiers are ":"-separated prefixes to "/path/to/binary":
# - "suid:" run suid capable program with the given uid/gid as the effective uid/gid (real stays at the invoking user)
# - "root:" run suid capable program with the given uid/gid as the real uid/gid (effective uid/gid comes from suid, usually 0/0)
# - "toor:" as "root:" but with effective/real UID reversed
# - "bash:" call it via `/bin/bash -c -- 'exec -a "$0" -- "$@"'`
# - "sh:" call it via `/bin/sh -c -- 'exec -- "$@"'`
#
# Example mitigation of CVE-2021-3156 without install of a fixed version of "sudo":
# - sudo tee -a /etc/suid.conf.d/sudo <<<'sudo:::*:C-::suid:/usr/bin/sudo'
# - suid sudo chmod 755 /usr/bin/sudo
# This removes suid from "sudo" and makes it impossible to exploit
# the flaw in "sudo" if invoked via a softlink as "sudoedit".
# This changes the environment to sudo, hence use at own risk.
#
## Environment:
#
# If a ShellShock-Pattern is detected, the variable is not set.
# - Use option "S" to pass ShellShock pattern
#
# All existing environment variables are prefixed with "SUID_", except:
# - "TERM" is preserved
# - a default "PATH" is set
# - "SUIDUID" and "SUIDGID" are set to the original UID/GID of the caller.
# - "SUIDPWD" is set to the original current directory.
#
## Escapes:
#
# There are two (only two) escape sequences (literally) understood:
#
# '\\:' which takes precedence and is removed.
# '\:' which is the escape for ':'.
# Hence in scripts which modify this file here (or extend suid.conf.d)
# you can unambiguously escape ':' in arguments to '\\:\:'.
#
# These escapes can be easily scanned forward and backward,
# and an escaped command can be easiliy and unambiguously created in /bin/bash:
# cmd=(command line args); printf ':%s\\\\:' "${cmd[@]//:/\\\\:\\:}"
# as long as there is no linefeed anywhere. With linefeeds do:
# printf -v esc1 ' %q' "${cmd[@]}"; printf ":bash:-c:%s" "${esc1//:/\\\\:\\:}"
#
# Examples:
# 'ab' can be written as 'a\\:b' or '\\:a\\:b\\:' or similar.
# 'a:b' must be 'a\:b' at least and should be 'a\\:\:b'.
# 'a\b' can be 'a\b' but 'a\\\:b' is ok as well.
# 'a\:b' must be 'a\\\:\:b' as 'a\\:b' becomes 'ab'. Compare:
# 'a\\:b' must be 'a\\\\:\:b', so adding a '\' is possible.
#echo::::D-:/:/bin/echo:--