Bonfield James writes: :># this program will be executed when mail is sent to the fake alias. :># since solaris sh and csh and tcsh refuse to run when euid != realuid, :># we instead run the program we compiled above. : :Does anyone know quite what the logic behind these shell checks are? They're :just a pain and a stumbling block that are trivial to work around. Is it only :Sun derived things that do this? : : James It's just a safety precaution, forcing the sysadmin to make a conscious extra step, and an additional rearguard action. SVR4 and solaris (among others) do the suid shell scripts securely. For example, I made a suid shell script (setuid to a user, and run as root so that I could trace it..) root@gecko:[11:38pm]/var/tmp-105# l testsuid -rwsr-sr-x 1 peter user 50 Mar 28 23:33 testsuid root@gecko:[11:38pm]/var/tmp-106# cat testsuid #! /sbin/sh -p echo 0:$0 1:$1 2:$2 3:$3 4:$4 id root@gecko:[11:38pm]/var/tmp-107# ./testsuid 0:/dev/fd/3 1: 2: 3: 4: uid=0(root) gid=0(root) euid=433(peter) egid=304(user) root@gecko:[11:38pm]/var/tmp-108# truss -a ./testsuid execve("./testsuid", 0x08047C7C, 0x08047C84) argc = 3 *** SUID: ruid/euid/suid = 0 / 433 / 433 *** *** SGID: rgid/egid/sgid = 0 / 304 / 304 *** argv: /sbin/sh -p /dev/fd/3 open("/dev/zero", O_RDONLY, 01001076164) = 4 mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE, 4, 0) = 0x80030000 getuid() = 0 [ 433 ] getuid() = 0 [ 433 ] close(4) = 0 sysi86(SI86FPHW, 0x8002DA2C, 0x8002D420, 0x08047C58) = 0x00000000 getpid() = 23655 [ 23654 ] getpgid(23655) = 23654 getsid(23655) = 23369 brk(0x080583D8) = 0 sigaction(SIGHUP, 0x00000000, 0x08047BD4) = 0 sigaction(SIGHUP, 0x08047B70, 0x08047BB0) = 0 sigaction(SIGINT, 0x00000000, 0x08047BD4) = 0 [...] sigaction(SIGXCPU, 0x08047B70, 0x08047BB0) = 0 sigaction(SIGXFSZ, 0x00000000, 0x08047BD4) = 0 sigaction(SIGXFSZ, 0x08047B70, 0x08047BB0) = 0 brk(0x080585D8) = 0 brk(0x080588D8) = 0 getuid() = 0 [ 433 ] open("/dev/fd/3", O_RDONLY, 01001276470) = 4 close(19) Err#9 EBADF fcntl(4, F_DUPFD, 0x00000013) = 19 close(4) = 0 fcntl(19, F_SETFD, 0x00000001) = 0 ioctl(2, TCGETA, 0x08047BD8) = 0 ioctl(19, TCGETA, 0x08047BD8) Err#25 ENOTTY read(19, " # ! / s b i n / s h ".., 128) = 50 brk(0x08058CD8) = 0 0:/dev/fd/3 1: 2: 3: 4: write(1, " 0 : / d e v / f d / 3 ".., 24) = 24 xstat(2, "/sbin/id", 0x08047AA0) Err#2 ENOENT xstat(2, "/usr/sbin/id", 0x08047AA0) Err#2 ENOENT xstat(2, "/usr/bin/id", 0x08047AA0) = 0 access("/usr/bin/id", 9) = 0 fork() = 23656 uid=0(root) gid=0(root) euid=433(peter) egid=304(user) Received signal #18, SIGCLD [default] siginfo: SIGCLD CLD_EXITED pid=23656 uid=1 status=0x0000 waitsys(0x00000000, 23656, 0x08047AD8, WEXITED|WTRAPPED|WUNTRACED|WNOWAIT) = 0 ioctl(0, TIOCGPGRP, 0x08047B20) = 0 ioctl(0, TCGETS, 0x080574D8) = 0 waitsys(0x00000000, 23656, 0x08047AC8, WEXITED|WTRAPPED|WUNTRACED) = 0 read(19, 0x08057D54, 128) = 0 ioctl(19, TCGETA, 0x08047BD4) Err#25 ENOTTY close(19) = 0 _exit(0) root@gecko:[11:38pm]/var/tmp-109# As you can see, the interpreter is invoked with the already-open file descriptor as an argument "/sbin/sh -p /dev/fd/3" -Peter -- Peter Wemm <peter@DIALix.oz.au> - NIC Handle: PW65 - The keeper of "NN" "My computer is better than your computer" - Anonymous (Overheard, shortly after the creation of the second computer....)