Bugtraq mailing list archives
Re: setuid scripts in SunOS 4.1.x
From: jhawk () panix com (John Hawkinson)
Date: Mon, 26 Sep 1994 16:17:15 -0400 (EDT)
me:
The "correct" thing to do is to patch kern_exec.c (kern_exec.o).
Ummm, then how's it going to cope with set-uid perl scripts, which ARE rumored to be secure? You could have a table of 'ok shell interpreters' in the kernel, but that would be extremely ugly.
Perl implements a solution. It has a program called suidperl, which emulates setuid scripts when they are disabled, thus allowing setuid perl scripts.
Since the problem is in /bin/sh, that is where it should be solved, or at least avoided. If you across-the-board disable all set-uid shell interpreters, that will infuriate the few who do it right, and remove any motivation for others to do it correctly.
And what software other than perl implements setuid scripts in a secure manner? -- John Hawkinson jhawk () panix com
Current thread:
- Re: setuid scripts in SunOS 4.1.x Richard Huddleston (Sep 21)
- <Possible follow-ups>
- Re: setuid scripts in SunOS 4.1.x Peter Jeremy (Sep 22)
- Re: setuid scripts in SunOS 4.1.x Colin Campbell (Sep 23)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 22)
- Re: setuid scripts in SunOS 4.1.x Karl Strickland (Sep 24)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 26)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 26)
- Re: setuid scripts in SunOS 4.1.x Harold van Aalderen (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Rafi Sadowsky (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Paul O'Donnell (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 27)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 27)
- Re: setuid scripts in SunOS 4.1.x Valdis.Kletnieks () vt edu (Apr 17)
- Re: setuid scripts in SunOS 4.1.x jmc () gnu ai mit edu (Sep 28)
- request Michel JACQUOT (Sep 29)
- Re: setuid scripts in SunOS 4.1.x Fred Blonder (Sep 28)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 28)
- Re: setuid scripts in SunOS 4.1.x John Hawkinson (Sep 22)