Bash scripting question
David A. Bandel
david
Mon May 17 11:47:52 PDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 27 May 2003 16:24:02 -0400 (EDT)
<listmail at rotundus.com> wrote:
> David A. Bandel wrote,
> > You cannot run a script SUID. Think about it a minute and you?ll
> > see that you don?t ever want that capability.
> >
> > The script runs and calls other programs/built-ins.
>
> I can see the need to be cautious with SUID anything, but is a script
> really that much more dangerous than anything else running SUID?
Yes. Consider: a script will run _anything_ you put in it. Now think
of the worst stuff you could put in it. Want your users running that
SUID? And even seemingly benign stuff, if it has a command that?s not
fully pathed (oops), and as a user I create a similarly named malicious
tool (and of course my PATH has $HOME/bin before the system paths) --
sounds like a wtfo (what the frell over?) to me.
Ciao,
David A. Bandel
- --
Focus on the dream, not the competition.
Nemesis Racing Team motto
GPG key autoresponder: mailto:david_key at pananix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+0/s/j31PLQNUbV4RAgB3AJ4jySFpKxjboKMSM6bUBBRs4wCj/QCffXoE
bf9fjoMywDOPDRusBsixrH0=
=uz7X
-----END PGP SIGNATURE-----
More information about the Linux-users
mailing list