Suid script security
Guy Harris
guy at auspex.auspex.com
Sun Aug 12 07:01:33 AEST 1990
>Now, what if the name of the very shell script were e.g. "-i"? Wouldn't that
>give a nice exec?
>
> execl("/bin/sh", "sh", "-i", (char *) 0);
>
>So link the script to a file named "-i", and voila!
>Yes, one needs write permission somewhere on the same device, if one's
>operating system doesn't support symbolic links.
>
>What about the csh command interpreter? Well, 4.2BSD provides us with a csh
>which has a NEW option: "-b"! Its goal is to avoid just the thing described
>above:
Whereas the Bourne shell already has an option whose effect is to avoid
the thing just described above - "-". Yup, just a dash by itself, as in
#! /bin/sh -
>the mnemonic for `b' is `break';
To quote the C shell source code:
case 'b': /* -b Next arg is input file */
batch++;
so I don't think the mnemonic was intended to be "break"....
More information about the Comp.unix.questions
mailing list