setuid shell scripts
Marcus J Ranum
mjranum at gouldsd.UUCP
Tue Dec 2 02:35:40 AEST 1986
In article <13 at houligan.UUCP>, dave at murphy.UUCP (Rael's brother John) writes:
> It works on BSD4.2 and 4.3 systems. ...
When writing setuid shell scripts it's a good idea to specifically
set the PATH (not including '.' or any WRITEABLE directory) You also must
avoid any programs that have a shell escape or can call a program with a
shell escape.
Usually when I have to do setuid shell scripts, I change directory
to someplace innocuous and unwritable, set the PATH to nothing, and call
*EVERYTHING* with explicit path names. Even then, it's a rotten idea to
use setuid shells when you have a perfectly good C compiler around and can
do a much better job...
--
TRUST NO-ONE !! STAY ALERT !!
KEEP YOUR LASER HANDY !!
THE COMPUTER IS YOUR FRIEND !!!
More information about the Comp.unix.questions
mailing list