Re: setuid scripts in SunOS 4.1.x

Harold van Aalderen (harold@sara.nl)
Tue, 27 Sep 1994 10:19:49 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rafi Sadowsky: "Re: setuid scripts in SunOS 4.1.x"
Previous message: Fred Blonder: "Re: setuid scripts in SunOS 4.1.x"
In reply to: Fred Blonder: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: Rafi Sadowsky: "Re: setuid scripts in SunOS 4.1.x"

In message <199409262012.QAA04662@nasirc.hq.nasa.gov> you write:
> Since the problem is in /bin/sh, that is where it should be solved, or
> at least avoided.  If you across-the-board disable all set-uid shell
> interpreters, that will infuriate the few who do it right, and remove
> any motivation for others to do it correctly.

The problem is not in /bin/sh but in the kernel. It really doesn't matter
which interpreter you execute. Interpreters are useally not designed to
execute with euid 0, there are just to many ways to manipulate them.
The magic token '#!' that signals the kernel to execute an interpreter is
something that should not be combined with suid permissions.

So the proper place to fix the problem is the kernel.

Suidperl clames to be the rare exception to the rule. Personally I 
don't trust it. It is hard enough to make a C program suid save.

> -----
> Fred Blonder		fred@nasirc.hq.nasa.gov
> 
> Hughes STX Corp.	(301) 441-4079
> 7701 Greenbelt Rd.
> Greenbelt, Md.  20770



Harold van Aalderen 			      |email: harold@sara.nl
system programmer/site security contact       | 
SARA (Academic Computing Services Amsterdam)  |phone: +31 20 5923000
PO Box 94613 1090 GP Amsterdam The Netherlands|fax  : +31 20 6683167

Next message: Rafi Sadowsky: "Re: setuid scripts in SunOS 4.1.x"
Previous message: Fred Blonder: "Re: setuid scripts in SunOS 4.1.x"
In reply to: Fred Blonder: "Re: setuid scripts in SunOS 4.1.x"
Next in thread: Rafi Sadowsky: "Re: setuid scripts in SunOS 4.1.x"