Re: setuid scripts (was Re: proc fs and shared pids)

Darren J Moffat (
Fri, 6 Sep 1996 17:47:14 +0100 (BST)

On Thu, 5 Sep 1996, Marek Michalkiewicz wrote:

> Darren J Moffat:
> > In the noexec case it isn't a problem because the script couldn't have
> > been executed to start the trusted interpreter in the first place.
> But the trusted interpreter could still be executed by the user
> with the name of the script as argv[1]. Same for setuid...

see below.

> I think this is necessary - and it is not portable. I still think
> we should allow the Solaris /dev/fd hack (at least as an option).

I thought so for a while as well and think that the setuidexec solution is
much much better. In fact better still wait until I've finished
implementing POSIX.6 and then the problem is better solved.

> Is there anything to stop me doing this:
> /usr/local/sbin/setuidexec /bin/sh script
> (script is on a filesystem mounted nosuid)
> This has nothing to do with filesystem type (ext2 or umsdos). Or am
> I missing something here?

yes, the code to setuidexec, it won't work like this,

$ setuidexec /bin/sh cat ~
cat: No such file or directory

$ setuidexec /bin/sh
Syntax error while executing setuidexec
Usage: #! setuidexec <shell>

The reason for this is the setuidexec program (as posted in this list)
does the /dev/fd hack that Solaris 2.x does exactly _and_ checks the
permisons of the script _and_ creates a minimal standard environment _and_
can't be run unless it is called via a #! mechanism.

[If you missed the code I'll mail it to you if you like]

Darren J Moffat
							"Veni, Vidi, Dolavi"