Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!uwm.edu!linac!convex!usenet
From: tchrist@convex.com (Tom Christiansen:)
Newsgroups: comp.lang.perl
Subject: Scripts read from stdin
Message-ID: <1991Jun16.211845.4454@convex.com>
Date: 16 Jun 91 21:18:45 GMT
References: <1854@culhua.prg.ox.ac.uk>
Sender: usenet@convex.com (news access account)
Reply-To: Tom Christiansen: <tchrist@convex.com>
Organization: CONVEX Computer Corporation, Richardson, Tx., USA
Lines: 27
Nntp-Posting-Host: pixel.convex.com

>Should taintperl be allowed to read scripts from stdin?  If so then suid
>scripts are a security hole!  If I make a symbolic link called `-' to a suid
>script, cd to the directory containing said link, have `.' on my path, then
>I just execute `-'.  With `bash' as my shell, the script appears to be run
>as `./-' so there is no problem.  With csh, for example, the script gets run
>as `-'.  The system sees the reference `#!/usr/bin/taintperl' or whatever at
>the start and a new process is created with argument list:
>
>/usr/bin/taintperl -
>
>Now taintperl sees `-' as an argument and tries to read a script from
>stdin.  The user mearly has to type:
>
>exec '/bin/sh';

Can you actually use this to get a suid shell on your system?

You don't call taintperl directly.  Perl will call taintperl or
suidperl appropriately for you. taintperl itself isn't suid, so
this isn't going to be a problem.

Notice how 'suidperl -' doesn't work.

--tom
--
Tom Christiansen		tchrist@convex.com	convex!tchrist
		"So much mail, so little time."