Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!uwm.edu!lll-winken!csustan!carlos
From: carlos@csustan.CSUStan.Edu
Newsgroups: comp.sys.next
Subject: Re: Question about setuid bit
Message-ID: <1990Feb3.015340.20467@csustan.CSUStan.Edu>
Date: 3 Feb 90 01:53:40 GMT
Organization: CSU, Stanislaus
Lines: 28

There are two basic things wrong with this shell script, one minor,
the other a serious security problem.  First, setuid csh shell
scripts are disabled if not run with the -b option.  This
can be incorporated in your shell script by changing the first
line to as follows:
--------------------
#!/bin/csh -b
--------------------
The second problem is much more serious.  Without getting into a massive
discussion about the problems of setuid shell scripts, lets just
say that it would behoove you to hard code the path of each command you
wish interpreted by the script such as changing echo to /bin/echo and so
on.  It probably would be good also to NOT make this script
publicly accessible by all even after following this advice.

                - Advanced Security Technology Corporation -
				Carlos Salgado
          _/_        ...! uunet		          Work: +1-704-669-4102
 __.  _   /  _.                 \ 
(_/| /_) /_ (__    duke!wolves!secure!carlos  
				/	          Home: +1-704-669-6273
	            ...!usource	
                    carlos@csustan.csustan.edu
-- 
                - Advanced Security Technology Corporation -
				Carlos Salgado
          _/_        ...! uunet		          Work: +1-704-669-4102
 __.  _   /  _.                 \