Re: setuid scripts

To: tech-userlevel%netbsd.org@localhost
Subject: Re: setuid scripts
From: Aleksej Saushev <asau%inbox.ru@localhost>
Date: Sat, 14 Feb 2009 22:52:32 +0300

christos%astron.com@localhost (Christos Zoulas) writes:

> In article <87r62158mq.fsf%inbox.ru@localhost>, Aleksej Saushev  
> <asau%inbox.ru@localhost> wrote:
>>Alan Barrett <apb%cequrux.com@localhost> writes:
>>
>>> On Sat, 14 Feb 2009, Aleksej Saushev wrote:
>>>> > I think you can run setuid scripts if you build a custom kernel with
>>>> > SETUIDSCRIPTS enabled.
>>>> 
>>>> Does it prevent symlink attack or simply disables the check?
>>>
>>> AFAIK it works properly, by passing the script to the shell using an
>>> open file descriptor, named via /dev/fd/${number}.  I have no idea why
>>> it's disabled by default.
>>
>>Any reason to keep it disabled?
>
> People who write setuid shell scripts usually don't know what they are doing?

What I see in practice, is that they simply work around the check by
implementing setuid binary wrapper instead of learning how to write
correct scripts (those are _not_ shell ones in many cases).


-- 
CKOPO BECHA...
   CKOPO CE3OH...

References:
- Re: Adding a simple editor to the base system
  - From: Iain Hibbert
- Re: Adding a simple editor to the base system
  - From: Aleksej Saushev
- setuid scripts
  - From: Alan Barrett
- Re: setuid scripts
  - From: Aleksej Saushev
- Re: setuid scripts
  - From: Christos Zoulas

Prev by Date: Re: setuid scripts
Next by Date: Re: Adding a simple editor to the base system
Previous by Thread: Re: setuid scripts
Next by Thread: Re: Adding a simple editor to the base system
Indexes:

Home | Main Index | Thread Index | Old Index