[198] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Setuid programs run from shell scripts?

daemon@ATHENA.MIT.EDU (Fred Blonder)
Tue Nov 15 13:24:07 1994

To: Michael Neuman <mcn@c3serve.c3.lanl.gov>
Cc: bugtraq@fc.net, fred@nasirc.hq.nasa.gov
In-Reply-To: Your message of "Mon, 14 Nov 1994 11:12:32 MST."
             <199411141818.LAA21558@c3serve.c3.lanl.gov> 
Date: Tue, 15 Nov 1994 10:30:14 -0500
From: Fred Blonder <fred@nasirc.hq.nasa.gov>

	From: Michael Neuman <mcn@c3serve.c3.lanl.gov>

	This is a nice security feature, but is it a bug?

	<example deleted>

	Shouldn't suid run as root under the "script"?
 
(Not to get into the set-UID shell-script argument again. ;-)

How would you handle the situation where the script itself and the
interpreter are BOTH set-UID?

They're both integers.  We can ADD them.  No wait! We'll AVERAGE them.

Clearly, the set-UID bit on one or the other must take precedence.
Someone, somewhere decided that it would be the set-UID bit on the
script.  This was maybe the wrong decision, but it's the one we're
stuck with, for the moment at least.
-----
Fred Blonder		fred@nasirc.hq.nasa.gov

Hughes STX Corp.	(301) 441-4079
7701 Greenbelt Rd.
Greenbelt, Md.  20770

home help back first fref pref prev next nref lref last post