Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!haven!mimsy!chris
From: chris@mimsy.UUCP (Chris Torek)
Newsgroups: comp.unix.wizards
Subject: Re: Secure setuid shell scripts
Message-ID: <14151@mimsy.UUCP>
Date: 25 Oct 88 16:33:27 GMT
References: <14066@iuvax.cs.indiana.edu> <4409@bsu-cs.UUCP> <14069@mimsy.UUCP> <4483@bsu-cs.UUCP>
Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742
Lines: 12

In article <4483@bsu-cs.UUCP> dhesi@bsu-cs.UUCP (Rahul Dhesi) writes:
>The set-user-id shell script bug, they say, lies in the semantics of
>the file system itself.  Very well: ... Does the same security hole
>exist when a shell, which has been made made set-uid to root, executes
>a set-uid script without the kernel's help?

No.  (Gak, this practically gives it away.  Oh well, everyone has had
plenty of warning to get rid of setuid or setgid scripts that set to
important IDs.)
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris@mimsy.umd.edu	Path:	uunet!mimsy!chris