Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!ll-xn!cit-vax!mangler
From: mangler@cit-vax.Caltech.Edu (System Mangler)
Newsgroups: comp.unix.questions
Subject: Re: setuid shell scripts
Message-ID: <1250@cit-vax.Caltech.Edu>
Date: Sat, 29-Nov-86 23:25:37 EST
Article-I.D.: cit-vax.1250
Posted: Sat Nov 29 23:25:37 1986
Date-Received: Sun, 30-Nov-86 19:27:08 EST
References: <13@houligan.UUCP> <1112@decuac.DEC.COM>
Organization: California Institute of Technology
Lines: 25
Summary: unconditionally insecure

In article <1112@decuac.DEC.COM>, avolio@decuac.DEC.COM (Frederick M. Avolio) writes:
>	#! /bin/sh
>	date
>	exit 0
>
> and has the setuid bit set and is owned by root and readable by anyone
> is like having no password on the root account.     ^^^^^^^^

Make that "executable", not "readable".

In case it is not COMPLETELY clear yet:  the example can be shortened to
	#!/bin/sh

i.e. no commands at all, and it still gives the opportunist an unrestricted
setuid shell, just by running it with argv[0] starting with "-", which can
be typed in a few seconds.  This is true of both sh and csh, with or without
-f.  The only way to prevent this abuse is to not allow execute access.

Better yet, DON'T MAKE SETUID SHELL SCRIPTS.  Delete the ones you have.

(Yes, we got munched in this way.  Funny thing was, the setuid-root shell
script was created by the same superuser who makes the biggest fuss about
security...  So I don't believe in hushing up security holes).

Don Speck   speck@vlsi.caltech.edu  {seismo,rutgers,ames}!cit-vax!speck