Path: utzoo!utgpu!attcan!uunet!husc6!uwvax!umn-d-ub!nic.MR.NET!hal!cwjcc!tut.cis.ohio-state.edu!osu-cis!att!chinet!mcdchg!clyde!watmath!cantuar!greg
From: greg@cantuar.UUCP (G. Ewing)
Newsgroups: comp.unix.wizards
Subject: setuid shell scripts
Keywords: setuid script #! security
Message-ID: <850@cantuar.UUCP>
Date: 3 Nov 88 04:14:03 GMT
Reply-To: greg@cantuar.UUCP (G. Ewing)
Organization: University of Canterbury, Christchurch, New Zealand
Lines: 21

Under how many of the following conditions does the problem
still exist:

   (A)	The shell checks the owner and set{u,g}id bits of the
	script it is about to execute to make sure it's okay.

   (B)	The "shell" isn't a shell or interpreter at all, and
	doesn't execute the script as a list of commands.

   (C)	The "shell" consists of the following program:

		main() {
		}

If any of these things prevent the problem, then I submit that
removing the setuid-#! facility is wrong.

Greg Ewing				Internet: greg@cantuar.uucp
Spearnet: greg@nz.ac.cantuar		Telecom: +64 3 667 001 x8357
UUCP:	  ...!{watmath,munnari,mcvax,vuwcomp}!cantuar!greg
Post:	  Computer Science Dept, Univ. of Canterbury, Christchurch, New Zealand
Disclaimer: The presence of this disclaimer in no way implies any disclaimer.