Path: utzoo!attcan!uunet!ns-mx!iowasp.physics.uiowa.edu!maverick.ksu.ksu.edu!zaphod.mps.ohio-state.edu!usc!snorkelwacker!ira.uka.de!smurf!urlichs
From: urlichs@smurf.sub.org (Matthias Urlichs)
Newsgroups: comp.lang.perl
Subject: Re: Trouble with setuid
Message-ID: <yjn3f2.t+8@smurf.sub.org>
Date: 28 Aug 90 08:20:32 GMT
References: <^-i2f2.-42@smurf.sub.org> <1990Aug27.181341.425@iwarp.intel.com>
Organization: University of Karlsruhe, FRG
Lines: 20

In comp.lang.perl, article <1990Aug27.181341.425@iwarp.intel.com>,
  merlyn@iwarp.intel.com (Randal Schwartz) writes:
< In article <^-i2f2.-42@smurf.sub.org>, urlichs@smurf (Matthias Urlichs) writes:
< | It seems that A/UX 2.0(seeding final) doesn't honor the setuid bits when
< | invoking programs via a script.
< 
< Good for it.  It's working properly.  Suid scripts are a dangerous
< security hole.  Don't use'em.

Sorry, Randal, but I was not talking about the setuid bits of the script.
(If that wasn't obvious, sorry.)
What I have trouble with are the setuid bits of the _program_ (suidperl, in
that case), which are also not honored.

In that case, there's no security hole, since suidperl will first open the
script and then use fstat() to find out about the setuid bits.

-- 
Matthias Urlichs -- urlichs@smurf.sub.org -- urlichs@smurf.ira.uka.de
Humboldtstrasse 7 - 7500 Karlsruhe 1 - FRG -- +49+721+621127(Voice)/621227(PEP)