Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!henry
From: henry@utzoo.UUCP (Henry Spencer)
Newsgroups: net.unix,net.unix-wizards,net.micro.att,net.bugs.usg
Subject: Re: Sv.2 suid bits
Message-ID: <6184@utzoo.UUCP>
Date: Fri, 29-Nov-85 15:58:28 EST
Article-I.D.: utzoo.6184
Posted: Fri Nov 29 15:58:28 1985
Date-Received: Fri, 29-Nov-85 15:58:28 EST
References: <123@rexago1.UUCP> <114@brl-tgr.ARPA>, <337@ukecc.UUCP>
Organization: U of Toronto Zoology
Lines: 21

> > Eek, I should hope not!  Can you say "Security hole big enough
> > to drive a truck through?"  I knew you could!
> 
> 	I've heard that said about shell scripts many times, but no
> one has ever explained why. Could some knowledgeable soul fill me
> in please?

Basically because the interpretation of shell scripts is much more a
function of context than is the case for C programs, and the shell script
has less control over the context.  Writing bullet-proof setuid programs
in C is extremely difficult; most existing setuid programs can be induced
to fall over or misbehave if you work at it hard enough.  In the shell
it's far worse.	 Consider the effect of running a setuid shell program
with a nonstandard value of IFS set -- the interpretation of the shell
script will bear no relation to what the writer intended.  This problem
can be solved, but there are ten more lurking deeper in.  The shell is
simply too complex to permit *confidence* that there are no further holes,
given that such confidence is very difficult to achieve even in C.
-- 
				Henry Spencer @ U of Toronto Zoology
				{allegra,ihnp4,linus,decvax}!utzoo!henry