I am currently charged with the task of writing a wrapper for the Solaris pkgadd command. This command installs software packages, and must be run as root. We want to wrap this command to add some security checks (so that packages with suid programs couldn't be installed, and to disallow the use of installation scripts in the package.) Our wrapper would have to be run with sudo, so that it can spawn pkgadd to do the installation.
My first thought was to use Perl, of course, since it is quite natural to do the security checks on the packages with a collection of regular expressions. However, a member of my group says that it is possible to break out of the sudo'd perl script atfer it calls system() and end up with a root shell. That is obviously bad, and if we can't work around it to ensure that the perl script cannot be interrupted or otherwise hijacked into giving a root shell, I will have to find an alternate solution.
I can't see how that would happen, though. When system() is executed, a shell is only spawned if the command line has metacharacters in it. I know that the command line won't have any metacharacters in it, and thus the call will not spawn a shell; it will just fork+exec pkgadd. Thus, if pkgadd were somehow interrupted or sent a signal to exit, it would just die. There would be no shell to return to, and thus no root shell to give the user control of. Similarly, if perl were interrupted somehow, there is no root shell to go to. It just exits to the original shell, which is under the user's regular userid.
Is this a correct analysis? Or do we need to be concered that using system() from a sudo'd perl program can allow a user access to a root shell, or some other horrible situation?
In reply to Security concern with sudo and system() by evlg
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |