Are suid shell scripts using /bin/csh secure?
Will Dickson
will%robots.oxford.ac.uk at nss.cs.ucl.ac.uk
Sat Mar 11 15:44:52 AEST 1989
I know of three common modes of attack on set-uid shell scripts, all of
which I have failed to apply successfully to reasonably written shell
scripts under /bin/csh, but are successful against scripts with /bin/sh
(though these can be protected from the first two):
1: Set a path which includes trojan horses; this is defeated by
setting an explicit path or specifying full paths to the
command names.
2: Set the environment variable IFS (/bin/sh only) to include
the character '/'; IFS is ignored by csh, and can be
defeated by resetting IFS at the start of sh scripts.
Note that setting an explicit path without setting IFS
does *not* help.
3: Make a symbolic link to the script from a file called "-s";
I KNOW OF NO WAY TO CIRCUMVENT THIS WITH /bin/sh
SCRIPTS; /bin/csh will only run set-uid if it has the
"-b" option in its arguments, and so cannot be broken in
this way.
The question is, are there any other ways in which shell scripts can be
broken, and which shells do they apply to?
This issue has probably been covered in other newsgroups, but us
unfortunate brits don't get all of these right now.
Will Dickson (will%uk.ac.oxford.robots at uk.ac.ucl.cs.nss)
Robotics Research Group, Department of Engineering Science,
Oxford University, 19 Parks Road, Oxford, England.
More information about the Comp.sys.sun
mailing list