Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!ziploc!eps
From: eps@toaster.SFSU.EDU (Eric P. Scott)
Newsgroups: comp.sys.next
Subject: Re: Question about setuid bit
Message-ID: <291@toaster.SFSU.EDU>
Date: 3 Feb 90 05:50:00 GMT
References: <1990Feb3.015340.20467@csustan.CSUStan.Edu>
Reply-To: eps@cs.SFSU.EDU (Eric P. Scott)
Organization: San Francisco State University
Lines: 18

In article <1990Feb3.015340.20467@csustan.CSUStan.Edu>
	carlos@csustan.CSUStan.Edu writes:
>The second problem is much more serious.  Without getting into a massive
>discussion about the problems of setuid shell scripts, lets just
>say that it would behoove you to hard code the path of each command you
>wish interpreted by the script such as changing echo to /bin/echo and so
>on.  It probably would be good also to NOT make this script
>publicly accessible by all even after following this advice.

Try #!/bin/csh -fb instead.  The f defeats a hole exploited by
known security hackers (and also makes your script faster).

Back to the original question...  what you're doing is inherently
the wrong approach anyway.  Kermit out on /dev/cua--it's
interlocked with /dev/ttyda so you can use the same port for
input and output.  See the manual page zs(4) for more information.

					-=EPS=-