Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!udel!rochester!kodak!ispd-newsserver!ism.isc.com!ico!rcd
From: rcd@ico.isc.com (Dick Dunn)
Newsgroups: comp.unix.aix
Subject: Re: bsh & ksh running setuid
Summary: ouch!
Message-ID: <1991Apr29.200328.5668@ico.isc.com>
Date: 29 Apr 91 20:03:28 GMT
References: <1991Apr29.132514.8361@eagle.lerc.nasa.gov>
Organization: Interactive Systems Corporation, Boulder, CO
Lines: 16

fsfrick@bones.lerc.nasa.gov (David Fricker) writes:
> FYI: under AIXv3.1 release 3003, bsh & ksh do NOT ignore the
> setuid bits when running a script...
...
> So, if you want scripts to run setuid and you have release 3003, you
> may want to save a copy of the bsh & ksh binaries.

1.  I'm not clear on how this is a property of the shells, rather than
the OS.  Seems that the shell isn't going to be able to alter its own uid;
it needs kernel help at exec() time.

2.  For those who haven't run into this before: Note that setuid shell
scripts are a security sieve.
-- 
Dick Dunn     rcd@ico.isc.com -or- ico!rcd       Boulder, CO   (303)449-2870
   ...If you plant ice, you're gonna harvest wind.