>>>>>>>VITAL warning on suid shell scripts <<<<<<<<<<<<<<

[John F Haugh II]

In article <7835 at awdprime.UUCP> dcm at plato.austin.ibm.com writes:
>	(1) if you can become root by using a shipped script, then report
>	it as a defect.  (2) Yes, I admit shipped suid shell scripts are
>	probably security holes.  (3) However, I don't agree that the concept of
>	allowing suid shell scripts is a bug.
>	
>	If your system administrator messes up and writes a buggy suid script,
>	it's his fault.  If we mess up and ship buggy scripts, it's our fault
>	(and we should be shot).

The problem is that set-UID shell scripts cannot be written in a secure
manner on AIX v3.  I was the person that opened the original PTM to have
them removed, and the only argument that was ever given to keep them in
is that certain third party companies require set-UID shell scripts for
their software.  That means that your (1) above is occuring - someone is
shipping set-UID scripts with their product.  I assure you that (2) is
certainly correct.  (3) is correct - the =concept= is OK, it's the
implementations that are evil.  So far no one has come up with a good
implementation of set-UID shell scripts.  I have described to Kathy B.
and other architects what is needed to secure the shell scripts, and have
reviewed half a dozen or more equally buggy suggestions.

The bottom line is that in order to have set-UID shell scripts, some
drastic change in implementation is required.

DISCLAIMER:  I don't speak for IBM, LCC, or any other third party.  I
             speak for myself only.
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"If liberals interpreted the 2nd Amendment the same way they interpret the
 rest of the Constitution, gun ownership would be mandatory."