Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!mailrus!cornell!uw-beaver!teknowledge-vaxc!sri-unix!quintus!ok
From: ok@quintus.uucp (Richard A. O'Keefe)
Newsgroups: comp.unix.wizards
Subject: Re: show me
Message-ID: <253@quintus.UUCP>
Date: 5 Aug 88 20:37:05 GMT
References: <43200021@uicsrd.csrd.uiuc.edu> <1570005@hpcvlx.HP.COM> <5030@vdsvax.steinmetz.ge.com>
Sender: news@quintus.UUCP
Reply-To: ok@quintus.UUCP (Richard A. O'Keefe)
Organization: Quintus Computer Systems, Inc.
Lines: 9

In article <5030@vdsvax.steinmetz.ge.com> barnett@steinmetz.ge.com (Bruce G. Barnett) writes:
:Just to give you a taste of the types of problems with setuid shell scripts,
:>have you considered:
:	1. People can alias '/bin/cat' in their .cshrc
[and several others]
It is already the case that some systems refuse to run setuid csh scripts
unless they have the -b flag, perhaps they should require -f as well:
	#!/bin/csh -fb
so that no .cshrc file will be read.  (Of course there is still chroot plus
links to watch out for...)