Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!adm!bzs@bu-cs.bu.EDU
From: bzs@bu-cs.bu.EDU (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: device file non-protection - and suid scripts
Message-ID: <9688@brl-adm.ARPA>
Date: Wed, 7-Oct-87 23:07:34 EDT
Article-I.D.: brl-adm.9688
Posted: Wed Oct  7 23:07:34 1987
Date-Received: Sat, 10-Oct-87 13:04:20 EDT
Sender: news@brl-adm.ARPA
Lines: 16


>> I had written a simple shell script for
>>the students called 'setpriv' which took either 'public' or 'private'
>>and a list of files and did something reasonable with the permission
>>bits.
>
>Be *extremely* wary of suid shell scripts.  A local SA challenged me
>to write one he couldn't break.  I lost every time (and learned a lot).

Agreed, but I assure you there is no need for such a script to be
suid, it simply sets up a chmod for the user on his/her own file. It
was just a convenience, mostly because it looked kind of like the
system they came from as frosh so they could manage their file
security before they became grounded in unix.

	-B