show me

[Guy Harris]

> > Are these problems specific to particular versions of UNIX, or particular
> > shell types (sh, csh, ksh, perl) or version of those shells?
> 
> As an example, just for nastyness' sake would be (under setuid root or bin
> shell, a use executes teh following):

No, that's not what the problem is.  The list of things you can do if you
already *have* super-user privileges is extremely long, but not really relevant
here since the super-user (in systems that have such a notion) had better be
trusted (which is why some systems - e.g., proposed secure UNIX systems - don't
have the notion of super-user).

The problem is that there are ways of using a set-uid shell script to *get*
super-user privileges when you're *not* supposed to be able to get them.  There
has been some discussion of them on the "security" mailing list (no, I don't
remember offhand how you get on this list).

One of the problems is unique to pre-4.3BSD versions of the C shell, in that
you can write your "#! /bin/sh" line in a way that avoids it, regardless of
which version of the Bourne (or Korn) shell you have (as far as I know), but
you need a feature in the C shell that appears only in 4.3BSD to avoid it.
Another problem is specific to systems that use a pre-4.3BSD implementation of
"#!".

However, another problem is not fixed in any version of UNIX that I know about;
it's tricky to fix.  It does depend on the particular order in which some
things in the system happen, so it's conceivable that it may not occur in some
versions of UNIX, but I wouldn't bet on it.  There may be a way to fix it.

However, that problem didn't occur to me, or to anybody I know, until somebody
pointed it out; this indicates that there could, conceivably, be even *more*
subtle problems with set-UID shell scripts that nobody has found yet, so I'd be
loath to assume that, at any given point, we'd "plugged the last hole".