Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!sri-unix!sri-spam!mordor!lll-lcc!ptsfa!ihnp4!cbosgd!mandrill!hal!ncoast!allbery
From: allbery@ncoast.UUCP (Brandon Allbery)
Newsgroups: comp.unix.wizards
Subject: Re: device file non-protection - and suid scripts
Message-ID: <4832@ncoast.UUCP>
Date: Sat, 10-Oct-87 12:28:49 EDT
Article-I.D.: ncoast.4832
Posted: Sat Oct 10 12:28:49 1987
Date-Received: Mon, 12-Oct-87 21:34:40 EDT
References: <9615@brl-adm.ARPA> <7525@steinmetz.steinmetz.UUCP>
Reply-To: allbery@ncoast.UUCP (Brandon Allbery)
Followup-To: comp.unix.wizards
Organization: Cleveland Public Access UN*X, Cleveland, Oh
Lines: 17

As quoted from <7525@steinmetz.steinmetz.UUCP> by stpeters@dawn.steinmetz:
+---------------
| There is an *enormous* hole that is totally independent of the script
| contents.  Show me a suid script, and I can be running as uid 0 in 10
| seconds.  (BSD and derivatives at least, but I believe others as well.)
+---------------

Aside from the fact that I saw nothing saying that either (a) "setpriv" was
suid or (b) it had to be, please note that it's only BSD and derivatives that
have this bug.  The reason?  Non-BSD systems don't _allow_ suid shell scripts.
Seems a lot safer to me....
-- 
	    Brandon S. Allbery, moderator of comp.sources.misc
  {{harvard,mit-eddie}!necntc,well!hoptoad,sun!mandrill!hal}!ncoast!allbery
ARPA: necntc!ncoast!allbery@harvard.harvard.edu  Fido: 157/502  MCI: BALLBERY
   <<ncoast Public Access UNIX: +1 216 781 6201 24hrs. 300/1200/2400 baud>>
	 "...he calls _that_ a `little adventure'?!"  - Cmdr. Ryker