how to setuid for shell scripts?

Guy Harris guy at auspex.auspex.com
Sun Nov 18 13:53:28 AEST 1990 

>The security leaks are ENORMOUS - it takes *ANY* user a whole
>whopping 3 or 4 commands to get a full-function interactive shell
>running under the UID the shell is set-UID to.
>
>I won't give full details, other than to say - how does csh know
>to run .login for a login shell, but not a subshell?  Now think
>about .login for a while......
>
>(Hint - the shell checks argv[0] for a '-')...

Yes, but on 4.3BSD and any system that does 4.3BSD-style argument
handling with "#!" (SunOS 3.2 and later, S5R4, probably lots of other
systems), the name of the script does *NOT* get passed to the shell as
"argv[0]", so that *particular* hole isn't there on those systems. 
Dunno if it's fixed in the particular version of Ultrix the original
poster is using, though; unless they know it is, they should assume it
isn't....

There are plenty of other holes.  To close one of them, make sure that
the "#!" line looks like:

	"#! /bin/sh -"		Bourne shell (also Korn and probably
				Bourne-again shells, with appropriate
				change of interpreter path name)

	"#! /bin/csh -b"	4.3BSD and later C shell (and probably
				C-shell derivatives), assuming you've
				written the script in C shell for some
				reason

To close others, make sure you set PATH (or "path", in C shell scripts -
assuming you really *like* writing C shell scripts) before running any
commands, and in Bourne/Korn/Bourne-again shell scripts, set IFS before
setting anything else.

There are probably other things you need to watch out for as well.  The
shells are all big enough programs interpreting big-enough languages
that there are probably other ways of breaking in to
incautiously-written scripts.

On top of that, there's a hole with "#!" that's present in almost all
systems - I think it's fixed in S5R4 and think it'll be fixed in 4.4BSD
- that you *can't* plug except by doing fixes of the sort done in those
systems.

There are alternatives to "#!"; Maarten Litmath has a program whose name
I've forgotten that you can use (he says, in an attempt to prompt
Maarten to follow up :-)).

More information about the Comp.unix.internals mailing list