Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!elroy!jpl-devvax!lwall
From: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall)
Newsgroups: comp.unix.wizards
Subject: Re: setuid shell scripts
Keywords: But is it what Chris really meant?
Message-ID: <3545@jpl-devvax.JPL.NASA.GOV>
Date: 18 Nov 88 09:15:32 GMT
References: <850@cantuar.UUCP> <1627@solo8.cs.vu.nl> <855@cantuar.UUCP> <14552@mimsy.UUCP> <862@cantuar.UUCP>
Reply-To: lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall)
Organization: Jet Propulsion Laboratory, Pasadena, CA.
Lines: 24

In article <862@cantuar.UUCP> greg@cantuar.UUCP (G. Ewing) writes:
: An interpreter for some programming language could be written
: that was careful to check the mode and owner of any file that it
: was about to execute, and if it was setu(g)id, refuse to continue
: if its owner(group) didn't match the process's effective u(g)id.
: 
: Correct me if I'm wrong, but as things stand, this ought to be
: safe, oughtn't it?

Nope, sorry.  Still definitely unsafe.

If there was any way to do it, I'd have done it with perl.  I gave up and
disabled #! in my kernel, and now perl emulates set-id when necessary.
(Quite a trick disabling set-id #! in a binary only system!  I managed
it on a Vax by changing a branch, but the Sun's another story.  I'm trying
to wheedle the patch out of Sun but they're still thinking about it.
At least I hope they're still thinking about it...)

Not until a particular feature is hacked into the kernel will set-id #!
be secure again.  It may also be necessary to modify interpreters, though
there are ways to avoid that if they work it right.

Larry Wall
lwall@jpl-devvax.jpl.nasa.gov