Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!samsung!cs.utexas.edu!helios!bcm!dimacs.rutgers.edu!seismo!uunet!auspex!guy
From: guy@auspex.auspex.com (Guy Harris)
Newsgroups: comp.sys.alliant
Subject: Re: chmod set owner to root of scripts
Message-ID: <4584@auspex.auspex.com>
Date: 29 Nov 90 18:45:09 GMT
References: <1990Nov15.141015.25076@eagle.lerc.nasa.gov> <1595@svin02.info.win.tue.nl>
Organization: Auspex Systems, Santa Clara
Lines: 27

>Good thing. Set-uid shell scripts are an evil thing. It takes just two
>commands to fool the system into giving someone an interactive shell.
>Hint: sh -i. Have a look at recent discussions in comp.unix.whatever
>about this topic.

Well, actually, if you make the "#!" line read as "#! /bin/sh -" rather
than "#! /bin/sh", the particular trick to which you're referring won't
work.

However, in most systems that support the usual form of "#!", it takes
just one program and one command to fool the system into giving someone
an interactive shell, and there's no way to set up your shell script so
that you can't fool the system - it requires cooperation on the part of
whatever implements "#!" (typically the kernel), and that cooperation
isn't provided by most UNIX systems (System V Release 4 provides it, as
will, I think, 4.4BSD).

There are other mechanisms for providing set-UID shell scripts that may
also close that particular hole, e.g. a program Maarten Litmath wrote
(which is mentioned in the aforementioned recent discussions).  However,
note that, just as set-UID *programs* have to be written carefully to
make sure they don't contain security holes, set-UID *shell scripts*
have to be written carefully as well - and, given that shells tend to be
relatively large programs implementing reasonably powerful languages, it
may be difficult to know whether you've closed every possible security
hole.  (Did you remember to set "IFS", if the script is a
Bourne/Korn/Bourne-again script?  What about setting "PATH"?)