Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: setuid scripts in SunOS 4.1.x

From: jhawk () panix com (John Hawkinson)
Date: Wed, 28 Sep 1994 01:02:48 -0400 (EDT)


Well, now that I've been trounced upon by several of you folks,  ;-) I
realize that that by 'fixing the kernel' I was (mistakenly) assuming
that what was meant was 'disable set-uid interpreter scripts'.  It was
disabling them entirely that I disagree with.  Yes, I am aware of the
race condition with such scripts, and agree that it needs to be solved
before such scripts have any hope of being considered 'safe'.


Excuse me?

When we say FIXING THE KERNEL, we MEAN DISABLING SETUID SCRIPTS.

If you have some other reasonable mechanism, I'd be interested in
hearing it...


While we're on the subject: What should happen if you have a set-uid
interpreter script and the interpreter it invokes is also set-uid to a
different uid?  This is a philosophical point, so I suppose the
discussion should be moved to some other list or newsgroup.


Well, under SunOS 4.1.3, which was the OS in question, it keeps
the uid/gid of the script, not the interpreter. This is arguably
more consistent than taking the uid & gid of the interpreter.

--
John Hawkinson
jhawk () panix com
Previous By Date Next
Previous By Thread Next

Current thread: