Hard Links between UNIX Utility Programs
Chris Torek
chris at mimsy.UUCP
Thu Aug 4 22:14:12 AEST 1988
In article <153 at ispi.UUCP> jbayer at ispi.UUCP writes:
>Another workable solution is ... [to:]
>Create a shell script ....
>Make the shell script executable by everyone.
>Make the owner of the shell script the super user
>Set the user bit for the shell script (chmod u+s name)
Setuid scripts are not available in vanilla System V.
Setuid shell scripts are a security hole in vanilla BSD. If you have
not either made extensive kernel changes, or else installed the fix
from Berkeley that simply disables set-ID scripts, and you make a
setuid shell script (for either sh or csh), I can become that user on
your machine given access to any ordinary user account. I am not
willing to publish the method here; I will say that disabling setuid
scripts in the kernel, or simply not creating them in the first place,
suffices to prevent this avenue of attack.
--
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain: chris at mimsy.umd.edu Path: uunet!mimsy!chris
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list