Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!dftsrv!mimsy!chris
From: chris@mimsy.umd.edu (Chris Torek)
Newsgroups: comp.unix.questions
Subject: Re: setuid shell scripts (was: Re: Running processes as root)
Message-ID: <20367@mimsy.umd.edu>
Date: 24 Oct 89 16:42:28 GMT
References: <21240@adm.BRL.MIL> <20329@mimsy.umd.edu> <3789@solo6.cs.vu.nl>
Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742
Lines: 28

In article <20329@mimsy.umd.edu> (look, domain names now!) I wrote:
>\On all of the BSD derivatives on which setuid scripts run setuid,
>\all such setuid scripts are not secure.

In article <3789@solo6.cs.vu.nl> maart@cs.vu.nl (Maarten Litmaath) writes:
>It almost never happens, but this time you seem to be wrong, Chris!

Not really, because I meant `if you write /etc/foo, make it setuid, start
it with ``#! /bin/csh -bf'', and run it, and it runs setuid, then it is
not secure.'

>\You have to write at least one C program.

>Indeed: /bin/indir!  (Formerly /bin/setuid.)

I am not going to promise that /bin/indir will do the trick (having
seen too many ways to fool too many shells), but by using /bin/indir
you have met my restriction (`at least one C program').  I should
rephrase it:

    Given the current kernel implementation, a setuid script is
    not secure unless its `setuid-ness' is provided by a separate
    C program that makes additional security checks (and possibly
    still not even then).
-- 
`They were supposed to be green.'
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris@cs.umd.edu	Path:	uunet!mimsy!chris