Path: utzoo!utgpu!attcan!uunet!husc6!bbn!uwmcsd1!ig!agate!pasteur!ames!oliveb!sun!gorodish!guy
From: guy@gorodish.Sun.COM (Guy Harris)
Newsgroups: comp.unix.wizards
Subject: Re: show me
Message-ID: <62843@sun.uucp>
Date: 4 Aug 88 18:17:25 GMT
References: <43200021@uicsrd.csrd.uiuc.edu> <1570005@hpcvlx.HP.COM>
Sender: news@sun.uucp
Lines: 36

> Apparently, that is not the case, i.e. there appears to be some way of
> breaking out of the setuid script, giving the user an effective uid of
> root (or somebody else).
> 
>   Is this true?

Yes.

> How can it be done?

Without too much difficulty; it's harder on 4.3BSD with properly-written shell
scripts (i.e., ones with

	#! /bin/sh -

or

	#! /bin/csh -b

as the first line - the extra flag blocks one of the holes - and with IFS reset
as the first action and PATH reset as the second), but it can still be done.
Furthermore, many people are not at all confident that you can guarantee that
you have ever caught the "last" security hole.

> Is there a work-around?

No.

> I remember back in the spring of 88 I saw a BSD bug fix that said
> "setuid/gid scripts are a security problem." and included a patch
> to the kernal that more or less disabled setuid/gid scripts.  Sounds
> suspicious if you ask me...

That fix was posted because of one of the security holes; many people thought
that 4.3BSD had closed the last of them, until Randy Smith (then of the NCI
Supercomputer Facility) pointed out one that people hadn't thought of....