Setuid shell scripts (was System V Release 4 ...)

[Guy Harris]

>2.  The #! passes the name of the shell script as argv[1], but the shell
>    does not understand about this convention and will interpret argv[1]
>    as an option rather than as a file name if the first character of
>    argv[1] is a minus sign.  The fix is to write a little stub program
>    in C for each setuid shell procedure.

Or, if the script is a Bourne shell script, put

	#! /bin/sh -

rather than

	#! /bin/sh

as the first line.  This causes the shell to be passed a "-" as an
argument before the script name; all versions of the Bourne shell that I
know of will stop processing option arguments when they see the "-".

I think the same applies to the Korn shell.

If it's a C shell script, the fix is to 1) get a version of the C shell
on your system that supports the "-b" flag (like the 4.3BSD C shell
does; SunOS, for instance, has had that since 3.2), and put

	#! /bin/csh -b

as the first line.  "-b" has much the same effect.

If it's neither a C nor a Bourne nor a Korn shell script, you're on your
own.

Note also that there's another problem with the first character of the
script beginning with "-"; this problem was fixed in 4.3BSD's kernel,
and that fix was in SunOS since 3.2 as well.

Nevertheless:

	1) there is another problem with the "#!" mechanism that makes
	   set-UID scripts insecure; it is not a problem with a
	   particular shell, so it potentially affects all shells

and

	2) even if you fix that (there are ways to fix it if your kernel
	   has a certain mechanism, which unfortunately most don't have,
	   yet), the other arguments against set-UID scripts still apply
	   - you're relying on a large, complicated piece of software,
	   namely the interpreter running your script, and there may be
	   sneaky little back doors like IFS that you don't even know about.

It's hard enough to make sure a C program is secure when run set-UID....