Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!pt.cs.cmu.edu!fed.expres.cs.cmu.edu!jgm
From: jgm@fed.expres.cs.cmu.edu (John G. Myers)
Newsgroups: comp.sys.next
Subject: Re: Question about setuid bit
Summary: setuid shell scripts: don't do it
Message-ID: <7818@pt.cs.cmu.edu>
Date: 3 Feb 90 06:33:48 GMT
References: <1990Feb3.015340.20467@csustan.CSUStan.Edu> <291@toaster.SFSU.EDU>
Organization: Carnegie Mellon University
Lines: 30

In article <291@toaster.SFSU.EDU> eps@cs.SFSU.EDU (Eric P. Scott) writes:
>In article <1990Feb3.015340.20467@csustan.CSUStan.Edu>
>	carlos@csustan.CSUStan.Edu writes:
>>The second problem is much more serious.  Without getting into a massive
>>discussion about the problems of setuid shell scripts, lets just
>>say that it would behoove you to hard code the path of each command...
>
>Try #!/bin/csh -fb instead.  The f defeats a hole...

...leaving the fact that setuid shell scripts are inherently a
security hole, no matter *how* you code them.

The existence of a setuid file containing only the single line:

#!/bin/csh -fb

or even

#!/bin/sh -

is sufficient to get an interactive shell running as the owner of the
file.  The problem is inherent in the semantics of shell scripts.

Berkeley has published an official fix for BSD which basically
disables setuid shell scripts.  If you think you want one, write a C
program instead.

--
_.John G. Myers		Internet: jgm@fed.expres.cs.cmu.edu
(412) 268-2984		LoseNet:  ...!seismo!ihnp4!wiscvm.wisc.edu!give!up