securing SUID0 programs?

I am wondering how it is possible to secure a program using the exec() function that SUID0 world. After playing around with HackersLab for a while I was thinking that doing:

exec("IFS=''; export IFS;/bin/ls");

would do, where /bin/ls is the full path to the program, but can someone not just change PATH to /tmp so that the command 'export' actually executes /bin/bash ? Would this work? Or is it possible to lock down a SUID0 world executable script?



/me is wondering this out of curiosity, I know it is better to have other ways then SUID0 scripts, I am just wondering.

[joe_bruin]

i believe you are confusing the execve(2) function with the system(3) function. there is no unix "exec" (there is a shell function called exec).

system() calls the shell (sh -c) to execute the commandline given, and is not very safe. it is vulnerable to similar tricks as you described above.

execve() and the exec(3) family of calls (like execv() and execl()) are generally immune to stupid shell tricks (unless you explicitly call a shell program), and can be made safe with a little care.

I mean a C program using execl() and the exec() family can still be tricked into using the wrong file by modyfying the $IFS variable, no?

[joe_bruin]

execl() and friends do not use the shell. they do not (for the most part) look at environment variables, and they do not perform wildcard expansions or alias interpretations (those are shell features). they pass their params directly to the kernel, and are safe from shell manipulations. IFS is entirely a shell thing.

these functions can be tricked by the use of chroot, although you must be root to chroot, so it's not a very big concern.

correction, i believe the execp* functions use the PWD environment variable to build an absolute path. and some others just read and pass the environment directly, but they do not use the environment variables for anything.

oh, ok, I was just wondering wether it was possible to secure a SUID0 world exec script, thanks!