what are the implications of shell doing setuid(getuid())?

[BALDWIN]

> > I was recently asked what the implications would be of having the shell do a
> > setuid(getuid()) and setgid(getgid()) as soon as it's invoked. The reason is
> > to try and plug up any security holes caused by set[ug]id programs that
> > invoke system(3C) or popen(3S). What tools are there that anyone knows of
> > that would be broken if this change were made, locally, or for real?
> 
> cpio, find, & sdiff all use popen() and tar uses system().
> Your proposed change could break their operation when these
> utilities are run privileged.  There are many other loopholes
> of equal or greater concern than "sh -c" that your shell
> mod would not take care of.  This seems like the wrong place
> to try to enforce security.

Nope:  cpio, find, sdiff and tar aren't setuid or setgid, so it doesn't
affect them at all.  It *only* affects setuid or setgid C programs that
exec the shell either directly, or through system() or popen().  This
loophole is quite large, why not fix it along with the others?
-- 
						Michael Baldwin
						AT&T Bell Labs
						{at&t}!whuxl!mike