Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!mp.cs.niu.edu!bennett From: bennett@mp.cs.niu.edu (Scott Bennett) Newsgroups: comp.sys.next Subject: Re: NextStep -> X tranfer problem Message-ID: <1991Apr30.001514.24240@mp.cs.niu.edu> Date: 30 Apr 91 00:15:14 GMT References: <1991Apr29.022737.19106@mp.cs.niu.edu> <1991Apr29.041036.5734@shaman.com> Organization: Northern Illinois University Lines: 59 In article <1991Apr29.041036.5734@shaman.com> jiro@shaman.com (Jiro Nakamura) writes: >In article <1991Apr29.022737.19106@mp.cs.niu.edu> bennett@mp.cs.niu.edu (Scott >Bennett) writes: >> In article <1991Apr28.203959.13420@cunixf.cc.columbia.edu> >das15@cunixa.cc.columbia.edu (Douglas A Scott) writes: >> >For times when I need to just kill the entire X apparatus, when it gets >stuck, >> >I just wrote the following script, which I set to setuid root: >> > >> The setuid root part shouldn't have any effect, so if it works, >> then you don't need it. setuid is ignored for shell scripts. > > Sorry Scott, you're wrong on this one. My whole /usr/adm/* directory says >ou're wrong. Setuid is ignored on /bin/sh scripts, I think, but not on >/bin/csh. So I have been informed by Doug deJulio . My understanding was that UCB had closed this hole in 4.3BSD. Either that is not true or NeXT has reopened it. This is from what I last sent Doug: It's not a problem if there are no shell scripts on a system that have the suid bit on. It is a problem on the NeXT unless and until there is a loudly marked description of the hole and how it could be abused in the NeXT documentation (e.g. the _Network_and_System_Adminis- tration_Manual_), so that individual NeXT users could decide for themselves whether they wished to have suid scripts lying around on their systems. From the point of view of a network administrator, one might worry about the possibility that a workstation user could have suid scripts for various userid's that one wouldn't want breached, like uucp, root, operator, and so on, because of the potential hazard to the rest of the systems on one's network. > Setuid scripts *are* a security hazard, but they do exist. Unfortunately, that appears to be the case. I certainly hope NeXT will do something about it quickly. Documenting it in international orange would be a good first step. Closing the hole in later releases of the operating system would be a good followup. > >-- >Jiro Nakamura jiro@shaman.com >Shaman Consulting (607) 253-0687 VOICE >"Bring your dead, dying shamans here!" (607) 253-7809 FAX/Modem Scott Bennett, Comm. ASMELG, CFIAG Systems Programming Northern Illinois University DeKalb, Illinois 60115 ********************************************************************** * Internet: bennett@cs.niu.edu * * BITNET: A01SJB1@NIU * *--------------------------------------------------------------------* * "Spent a little time on the mountain, Spent a little time on the * * Hill, The things that went down you don't understand, But I * * think in time you will." Oakland, 19 Feb. 1991, first time * * since 25 Sept. 1970!!! Yippee!!!! Wondering what's NeXT... :-) * **********************************************************************