[198] in bugtraq
Re: Setuid programs run from shell scripts?
daemon@ATHENA.MIT.EDU (Fred Blonder)
Tue Nov 15 13:24:07 1994
To: Michael Neuman <mcn@c3serve.c3.lanl.gov>
Cc: bugtraq@fc.net, fred@nasirc.hq.nasa.gov
In-Reply-To: Your message of "Mon, 14 Nov 1994 11:12:32 MST."
<199411141818.LAA21558@c3serve.c3.lanl.gov>
Date: Tue, 15 Nov 1994 10:30:14 -0500
From: Fred Blonder <fred@nasirc.hq.nasa.gov>
From: Michael Neuman <mcn@c3serve.c3.lanl.gov>
This is a nice security feature, but is it a bug?
<example deleted>
Shouldn't suid run as root under the "script"?
(Not to get into the set-UID shell-script argument again. ;-)
How would you handle the situation where the script itself and the
interpreter are BOTH set-UID?
They're both integers. We can ADD them. No wait! We'll AVERAGE them.
Clearly, the set-UID bit on one or the other must take precedence.
Someone, somewhere decided that it would be the set-UID bit on the
script. This was maybe the wrong decision, but it's the one we're
stuck with, for the moment at least.
-----
Fred Blonder fred@nasirc.hq.nasa.gov
Hughes STX Corp. (301) 441-4079
7701 Greenbelt Rd.
Greenbelt, Md. 20770
