Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: auspex!guy@uunet.uu.net (Guy Harris)
Newsgroups: comp.sys.sun
Subject: Re: Are suid shell scripts using /bin/csh secure
Keywords: Software
Message-ID: <1161@auspex.UUCP>
Date: 31 Mar 89 02:47:36 GMT
References: <8902281107.AA16022@uk.ac.oxford.robots>
Sender: usenet@rice.edu
Organization: Auspex Systems, Santa Clara
Lines: 23
Approved: Sun-Spots@rice.edu
Original-Date: 13 Mar 89 20:35:54 GMT
X-Sun-Spots-Digest: Volume 7, Issue 218, message 2 of 17

>	3: Make a symbolic link to the script from a file called "-s";
>		I KNOW OF NO WAY TO CIRCUMVENT THIS WITH /bin/sh
>		SCRIPTS;

	#! /bin/sh -

The "-" argument will cause the shell to stop scanning its argument list
for flag arguments, and treat the argument following it as a script name.

However, there's also:

	4: <censored>

There is another hole in the "#!" mechanism that there is no way to patch
merely by properly constructing the script.  As far as I know, it can be
used to break either shell; the only fix anybody's come up with requires a
new kernel facility (basically, the "/dev/fd" mechanism) - thanks and a
tip of the Hatlo hat to, as I remember, Dave Korn for coming up with the
fix. 

The presence of that hole is what prompted Berkeley to at least
temporarily remove the ability to run shell scripts set-UID (in a posting
to "comp.bugs.4bsd" or "comp.bugs.4bsd.ucb-fixes").