Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!sundc!oktext!occrsh!occrsh.UUCP!gorgo.UUCP!authorplaceholder
From: bsteve@gorgo.UUCP
Newsgroups: comp.unix.questions
Subject: Re: setuid shell scripts
Message-ID: <58900002@gorgo.UUCP>
Date: Sun, 30-Nov-86 04:20:00 EST
Article-I.D.: gorgo.58900002
Posted: Sun Nov 30 04:20:00 1986
Date-Received: Tue, 2-Dec-86 10:16:35 EST
References: <13@houligan.UUCP>
Lines: 28
Nf-ID: #R:houligan.UUCP:-1300:gorgo.UUCP:58900002:000:1053
Nf-From: gorgo.UUCP!bsteve    Nov 30 03:20:00 1986


In article <13@houligan.UUCP>, dave@murphy.UUCP (Rael's brother John) wrote:
   avolio@decuac.UUCP in comp.unix.ques replied:

>> It works on BSD4.2 and 4.3 systems.  ...
>> Use of this feature poses a number of security problems, since shell scripts
>> aren't usually written with security in mind.  ...
>
>Regarding security problems...  You may as well just write a one line
>C program that exec's the shell and make *that* setuid to root because
>having a setuid shell script causes *the exact same behavior*.  In
>other words, a shell script that looks like:
>
>	#! /bin/sh
>	date
>	exit 0
>
>and has the setuid bit set and is owned by root and readable by anyone
>is like having no password on the root account.

To be more correct, it is not even necessary that the shell script be
readable in the case of most 4.2 implementations. Setuid-root shell scripts
should simply not be used at all. Anyone unclear regarding why this is may
write me personally.

  Steve Blasingame (Oklahoma City)
  ihnp4!occrsh!gorgo!bsteve
  bsteve@eris.berkeley.edu