[975] in bugtraq
Re: SUID shell scripts, questions?
daemon@ATHENA.MIT.EDU (Fred Blonder)
Mon Feb 13 12:51:28 1995
To: woods@ncar.ucar.edu (Greg Woods)
Cc: bugtraq@fc.net
In-Reply-To: Your message of "Fri, 10 Feb 1995 17:23:11 MST."
<199502110023.RAA15201@ncar.ucar.EDU>
Date: Mon, 13 Feb 1995 09:25:53 -0500
From: Fred Blonder <fred@nasirc.hq.nasa.gov>
From: woods@ncar.ucar.edu (Greg Woods)
. . . you could always overwrite the SAME file with
something new, so the fd doesn't change.
Now wait a minute! If someone can overwrite the SAME file you're
potentially hosed whether or not that file is a shell script or a
binary. If you execute a file that's world-writwable, or writable by
anyone untrusted, you're leaving yourself open.
