setuid shell scripts
Frederick M. Avolio
avolio at decuac.DEC.COM
Sat Nov 29 02:36:50 AEST 1986
In article <13 at houligan.UUCP>, dave at murphy.UUCP (Rael's brother John) writes:
> It works on BSD4.2 and 4.3 systems. ...
> Use of this feature poses a number of security problems, since shell scripts
> aren't usually written with security in mind. ...
Regarding security problems... You may as well just write a one line
C program that exec's the shell and make *that* setuid to root because
having a setuid shell script causes *the exact same behavior*. In
other words, a shell script that looks like:
#! /bin/sh
date
exit 0
and has the setuid bit set and is owned by root and readable by anyone
is like having no password on the root account.
Fred
More information about the Comp.unix.questions
mailing list