From: John Hawkinson <jhawk@panix.com> When we say FIXING THE KERNEL, we MEAN DISABLING SETUID SCRIPTS. If you have some other reasonable mechanism, I'd be interested in hearing it... Well, just to keep thrashing this one around, imagine the following implementation: Set-uid script 'foo' calls interpreter 'bar': -rws--x--x 1 user 33 Sep 28 10:33 foo foo: #! /bin/bar . . . A user invokes 'foo', the kernel sees the magic token '#!', converts the inode for file 'foo' to a file descriptor (say for the purpose of this example: fd 3) and adds it to the set of open file descriptors (assuming the standard 0, 1 and 2 are already open), then execs '/bin/bar' with an argument of '/dev/fd/3'. The evil cracker can shift symbolic links around to his heart's content, but can't prevent the '/bin/bar' process from opening the correct script since it's already been passed as an open file descriptor, hence no race condition. This approach requires no changes to existing interpreters. I suggest we move this discussion to a different forum, as it's now pretty far beyond the declared scope of bugtraq. ----- Fred Blonder fred@nasirc.hq.nasa.gov Hughes STX Corp. (301) 441-4079 7701 Greenbelt Rd. Greenbelt, Md. 20770