Bugtraq mailing list archives

Re: Setuid programs run from shell scripts?

From: fred () nasirc hq nasa gov (Fred Blonder)
Date: Tue, 15 Nov 1994 10:30:14 -0500


        From: Michael Neuman <mcn () c3serve c3 lanl gov>

        This is a nice security feature, but is it a bug?

        <example deleted>

        Shouldn't suid run as root under the "script"?
 
(Not to get into the set-UID shell-script argument again. ;-)

How would you handle the situation where the script itself and the
interpreter are BOTH set-UID?

They're both integers.  We can ADD them.  No wait! We'll AVERAGE them.

Clearly, the set-UID bit on one or the other must take precedence.
Someone, somewhere decided that it would be the set-UID bit on the
script.  This was maybe the wrong decision, but it's the one we're
stuck with, for the moment at least.
-----
Fred Blonder            fred () nasirc hq nasa gov

Hughes STX Corp.        (301) 441-4079
7701 Greenbelt Rd.
Greenbelt, Md.  20770

Current thread:

just bitten by the babbling talk's Eric Berggren (Nov 08)
- Re: just bitten by the babbling talk's Steinar Haug (Nov 09)
- /dev/ttyd crashes SunOS? Dave Horsfall (Nov 10)
  - Re: /dev/ttyd crashes SunOS? Dave Horsfall (Nov 14)
  - Setuid programs run from shell scripts? Michael Neuman (Nov 14)
    - Re: Setuid programs run from shell scripts? Fred Blonder (Nov 15)
    - Re: Setuid programs run from shell scripts? Quentin Fennessy (Nov 15)
    - Re: Setuid programs run from shell scripts? Karl Strickland (Nov 16)
    - Re: Setuid programs run from shell scripts? Julian Assange (Nov 17)
    - Re: Setuid programs run from shell scripts? Justin J. Lister (Nov 18)
    - archives Matthew Harding (Nov 25)
    - archives of this list Matthew Harding (Nov 25)
  - Raw Socket Bug: details & patch. Darren Reed (Nov 15)