Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!rutgers!clyde!cbatt!ihnp4!ihdev!pdg From: pdg@ihdev.UUCP (P. D. Guthrie) Newsgroups: comp.unix.questions Subject: Re: setuid shell scripts Message-ID: <1061@ihdev.UUCP> Date: Tue, 2-Dec-86 11:05:48 EST Article-I.D.: ihdev.1061 Posted: Tue Dec 2 11:05:48 1986 Date-Received: Tue, 2-Dec-86 22:33:38 EST References: <13@houligan.UUCP> <1112@decuac.DEC.COM> <416@gouldsd.UUCP> Reply-To: pdg@ihdev.UUCP (55224-P. D. Guthrie) Organization: American Nasal Amputation Centre Lines: 32 In article <416@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: ]In article <13@houligan.UUCP>, dave@murphy.UUCP (Rael's brother John) writes: ]] It works on BSD4.2 and 4.3 systems. ... ] ] When writing setuid shell scripts it's a good idea to specifically ]set the PATH (not including '.' or any WRITEABLE directory) You also must ]avoid any programs that have a shell escape or can call a program with a ]shell escape. ] Usually when I have to do setuid shell scripts, I change directory ]to someplace innocuous and unwritable, set the PATH to nothing, and call ]*EVERYTHING* with explicit path names. Even then, it's a rotten idea to ]use setuid shells when you have a perfectly good C compiler around and can ]do a much better job... Yes, this is good on System V (pick your release), but *not* on Berkeley. As has been noted many times, the security bug does not even run the script to work. Therefor all of your nicely thought out, carefull programming could not stop the security hacker who could not give a hoot what your script does (or does not) because it doesn't matter. Your last sentence sums this discussion on setuid shell scripts up pretty well. *Never* have setuid shell scripts on a BSD4.x system unless a) you don't care who breaks into your machine (some people don't) or b) you have installed a kernel-kludge to plug the security hole. Does anyone have diffs for this they can post? The last BSD machine I had access to just went to sourceless Ultrix. Sigh. -- Paul Guthrie We come in peace, ihnp4!ihdev!pdg We bring BEER!