Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!mit-eddie!wuarchive!usc!ucsd!ucbvax!pasteur!aldebaran!carlton
From: carlton@aldebaran (Mike Carlton)
Newsgroups: comp.sys.next
Subject: Re: Ejecting the floppy
Message-ID: <10415@pasteur.Berkeley.EDU>
Date: 24 Jan 91 21:12:39 GMT
References: <10365@pasteur.Berkeley.EDU> <7887@umd5.umd.edu>
Sender: news@pasteur.Berkeley.EDU
Reply-To: carlton@aldebaran.berkeley.edu (Mike Carlton)
Distribution: usa
Organization: University of California at Berkeley
Lines: 30

In article <7887@umd5.umd.edu> matthews@lewhoosh.umd.edu (Mike Matthews) writes:
+In article <10365@pasteur.Berkeley.EDU> carlton@cs.berkeley.edu (Mike Carlton) writes:
...
+>The only way I can see is to use /usr/etc/disk and this is kludgey.  It
+>should be possible to write a suid script that does '/usr/etc/disk -e
+>/dev/rfd0a'.  Unfortunately, csh doesn't want to execute my script
+>(csh: Permission denied) even after I made the owner root and did a
+>chmod 4555 on the script.  I imagine there's a simple fix I'm
+>overlooking.  
+
+You're also overlooking a real big security hole.  REAL big.
+
...
+>Mike Carlton	carlton@cs.berkeley.edu
+------
+Mike Matthews, matthews@lewhoosh.umd.edu (NeXT)/matthews@umdd (bitnet)
+------
+Backed up the system lately?
+[these random quotes sure can hit the bullseye sometimes, eh? :-)]

The fix to make suid scripts is to give them the -b option, i.e.
begin the script with '#! /bin/csh -b'.

Would you care to give a little more detail on the security hole?  
Obviously if someone obtains write access to a suid script you've
got big problems.  But if they can get access to a root owned, 4755
file, then you're already got problems because there are plenty of those
on the disk already.  Or is there something else to worry about?

Mike Carlton	carlton@cs.berkeley.edu