Path: utzoo!utgpu!watmath!cantuar!greg
From: greg@cantuar.UUCP (G. Ewing)
Newsgroups: comp.unix.wizards
Subject: Re: setuid shell scripts
Keywords: But is it what Chris really meant?
Message-ID: <862@cantuar.UUCP>
Date: 17 Nov 88 02:28:03 GMT
References: <850@cantuar.UUCP> <1627@solo8.cs.vu.nl> <855@cantuar.UUCP> <14552@mimsy.UUCP>
Reply-To: greg@cantuar.UUCP (G. Ewing)
Organization: University of Canterbury, Christchurch, New Zealand
Lines: 35

Chris Torek (chris@mimsy.UUCP) writes:
>In article <855@cantuar.UUCP> greg@cantuar.UUCP (G. Ewing) writes:
>>and Chris Torek indicated in an earlier posting that there was a
>>problem that was *completely independent* of shell semantics.
>
>I hope that this is a paraphrase, for I did not mean that.  If the
>interpreter does nothing with the script, there are no setid problems.

Thanks for the clarification. I don't remember your exact words, but
whatever they were, they gave me that impression, causing great
confusion.

>there are no known uses for the (now disallowed) kernel
>invocation of set-id #! scripts that are also secure.

Just because nobody is using it now doesn't mean that there is
no use for it!

An interpreter for some programming language could be written
that was careful to check the mode and owner of any file that it
was about to execute, and if it was setu(g)id, refuse to continue
if its owner(group) didn't match the process's effective u(g)id.

Correct me if I'm wrong, but as things stand, this ought to be
safe, oughtn't it?

If so, disabling setuid #! files in the kernel removes a potentially
useful facility unnecessarily, and seems to me an excessively
drastic action to take.

Greg Ewing				Internet: greg@cantuar.uucp
Spearnet: greg@nz.ac.cantuar		Telecom: +64 3 667 001 x8357
UUCP:	  ...!{watmath,munnari,mcvax,vuwcomp}!cantuar!greg
Post:	  Computer Science Dept, Univ. of Canterbury, Christchurch, New Zealand
Disclaimer: The presence of this disclaimer in no way implies any disclaimer.