Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!mcsun!ukc!ox-prg!prg.ox.ac.uk!bush
From: bush@prg.ox.ac.uk (Mark Bush)
Newsgroups: comp.lang.perl
Subject: Scripts read from stdin
Message-ID: <1854@culhua.prg.ox.ac.uk>
Date: 11 Jun 91 14:16:40 GMT
Sender: news@prg.ox.ac.uk
Organization: Oxford University Computing Laboratory
Lines: 24
Originator: bush@thom5.ecs


Should taintperl be allowed to read scripts from stdin?  If so then suid
scripts are a security hole!  If I make a symbolic link called `-' to a suid
script, cd to the directory containing said link, have `.' on my path, then
I just execute `-'.  With `bash' as my shell, the script appears to be run
as `./-' so there is no problem.  With csh, for example, the script gets run
as `-'.  The system sees the reference `#!/usr/bin/taintperl' or whatever at
the start and a new process is created with argument list:

/usr/bin/taintperl -

Now taintperl sees `-' as an argument and tries to read a script from
stdin.  The user mearly has to type:

exec '/bin/sh';
^D

to get a shell running with the perl script's privaleges!

This is all on a Sun anything running any kind of SunOS.  I imagine the same
thing holds anywhere?  Should taintperl, then, treat an argument of `-' as
if it were `./-' or what?

Mark