how to setuid for shell scripts?
John F. Haugh II
jfh at rpp386.cactus.org
Sat Nov 17 12:07:32 AEST 1990
In article <633 at vtserf.cc.vt.edu> valdis at wizards.vt.edu (Valdis Kletnieks) writes:
>You don't want to do this. Setuid shell scripts are a Bad Thing.
>
>The security leaks are ENORMOUS - it takes *ANY* user a whole
>whopping 3 or 4 commands to get a full-function interactive shell
>running under the UID the shell is set-UID to.
There are giant holes in the =traditional= method of implementing
setuid shell scripts, this does not mean that there are giant
holes in =every= implementation.
I have, however, yet to be convinced that any vendor has a
reasonable implementation of set-UID shell scripts out there.
The most common reason for vendors continuing to provide
set-UID scripts is that the customers don't understand the
risks well enough to not clamor for the feature.
--
John F. Haugh II UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 Domain: jfh at rpp386.cactus.org
"SCCS, the source motel! Programs check in and never check out!"
-- Ken Thompson
More information about the Comp.unix.internals
mailing list