Are suid shell scripts using /bin/csh secure
Guy Harris
auspex!guy at uunet.uu.net
Fri Mar 31 12:47:36 AEST 1989
> 3: Make a symbolic link to the script from a file called "-s";
> I KNOW OF NO WAY TO CIRCUMVENT THIS WITH /bin/sh
> SCRIPTS;
#! /bin/sh -
The "-" argument will cause the shell to stop scanning its argument list
for flag arguments, and treat the argument following it as a script name.
However, there's also:
4: <censored>
There is another hole in the "#!" mechanism that there is no way to patch
merely by properly constructing the script. As far as I know, it can be
used to break either shell; the only fix anybody's come up with requires a
new kernel facility (basically, the "/dev/fd" mechanism) - thanks and a
tip of the Hatlo hat to, as I remember, Dave Korn for coming up with the
fix.
The presence of that hole is what prompted Berkeley to at least
temporarily remove the ability to run shell scripts set-UID (in a posting
to "comp.bugs.4bsd" or "comp.bugs.4bsd.ucb-fixes").
More information about the Comp.sys.sun
mailing list