setuid scripts (was Re: proc fs and shared pids)

Marek Michalkiewicz (
Thu, 5 Sep 1996 20:38:23 +0200 (MET DST)

Darren J Moffat:
> In the noexec case it isn't a problem because the script couldn't have
> been executed to start the trusted interpreter in the first place.

But the trusted interpreter could still be executed by the user
with the name of the script as argv[1]. Same for setuid...

> Any "guarding" setuid interpreter should check that what it is executing
> really should be allowed to be done, if this means checking the mount
> options then so be it, but I don't think this is neccessary.

I think this is necessary - and it is not portable. I still think
we should allow the Solaris /dev/fd hack (at least as an option).

> script that is setuid (4755)
> #!/usr/local/sbin/setuidexec /bin/sh
> cat < /etc/some_file_readable_only_by_root
> Putting script on vol mounted: noexec then nosuid then nosuid,noexec
> Putting the setuid guard wrapper on a mount that allows setuid and execs.

Is there anything to stop me doing this:

/usr/local/sbin/setuidexec /bin/sh script

(script is on a filesystem mounted nosuid)

This has nothing to do with filesystem type (ext2 or umsdos). Or am
I missing something here?