setuid shell scripts

[P. D. Guthrie]

In article <416 at gouldsd.UUCP> mjranum at gouldsd.UUCP (Marcus J Ranum) writes:
]In article <13 at houligan.UUCP>, dave at murphy.UUCP (Rael's brother John) writes:
]] It works on BSD4.2 and 4.3 systems.  ...
]
]	When writing setuid shell scripts it's a good idea to specifically
]set the PATH (not including '.' or any WRITEABLE directory)  You also must
]avoid any programs that have a shell escape or can call a program with a
]shell escape. 
]	Usually when I have to do setuid shell scripts, I change directory
]to someplace innocuous and unwritable, set the PATH to nothing, and call
]*EVERYTHING* with explicit path names. Even then, it's a rotten idea to
]use setuid shells when you have a perfectly good C compiler around and can
]do a much better job...

Yes, this is good on System V (pick your release), but *not* on
Berkeley.  As has been noted many times, the security bug does not even
run the script to work.  Therefor all of your nicely thought out,
carefull programming could not stop the security hacker who could not
give a hoot what your script does (or does not) because it doesn't
matter.  

Your last sentence sums this discussion on setuid shell scripts up pretty
well.  *Never* have setuid shell scripts on a BSD4.x system unless a)
you don't care who breaks into your machine (some people don't) or b)
you have installed a kernel-kludge to plug the security hole.  Does
anyone have diffs for this they can post?  The last BSD machine I had
access to just went to sourceless Ultrix. Sigh.

-- 

Paul Guthrie					We come in peace,
ihnp4!ihdev!pdg					We bring BEER!