[Nix-dev] Setuid wrapper for bash script
Leo Gaspard
leo at gaspard.io
Wed Sep 14 23:55:09 CEST 2016
On 09/14/2016 11:04 PM, Daniel Hlynskyi wrote:
> Thanks! Actually, I really missed the case when user could alter PATH
> with custom `systemctl` and execute arbitrary code.
>
> restartScript = pkgs.writeScriptBin "defenders" ''
> #!${pkgs.bash}/bin/bash -p
> [[ -z "$1" ]] && echo Specify operation: start, stop, restart,
> status && exit 1
> ${pkgs.systemd}/bin/systemctl "$1" defenders.service
> '';
>
> Still, I'm not sure whether I've done it right, maybe better would be to
> su as root and clear shell variables?
If you fear injection of PATH, then just using full paths won't work:
the caller can also supply IFS=/ and a custom path to inject a command.
Then, I don't know exactly how setuid wrappers internally work, so maybe
it already cleans the environment up?
More information about the nix-dev
mailing list