Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!zaphod.mps.ohio-state.edu!samsung!emory!gatech!prism!gt0178a
From: gt0178a@prism.gatech.EDU (Jim Burns)
Newsgroups: comp.unix.questions
Subject: Re: How secure are shell scripts? (summary)
Message-ID: <15059@hydra.gatech.EDU>
Date: 12 Oct 90 06:03:06 GMT
References: <JIM.90Oct11150613@baird.cs.strath.ac.uk>
Organization: Georgia Institute of Technology
Lines: 18

in article <JIM.90Oct11150613@baird.cs.strath.ac.uk>, jim@cs.strath.ac.uk (Jim Reid) says:

> The hack by HP is precisely that: a hack. It fixes one or two possible
> problems, but not them all. (For instance doing naughty things with
> (symbolic) links to the setuid shell script or replacing the file as
> it is being exec'ed....) The end result of that is a false illusion
> that setuid ksh scripts are secure. Misguided individuals then make

The first problem can be handled by starting w/'#!/bin/ksh -'. As for the
second, I personally don't have the patience to sit there at adjoining
terminals and try to swap files fast enough. It's like securing your car
or home - all you can do is make it harder, not impossible. If it isn't
setuid scripts that are being exploited, it will be something else.
-- 
BURNS,JIM
Georgia Institute of Technology, Box 30178, Atlanta Georgia, 30332
uucp:	  ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt0178a
Internet: gt0178a@prism.gatech.edu