Bash scripting question
Kevin O'Gorman
kevin
Mon May 17 11:47:53 PDT 2004
On Tue, 27 May 2003, David A. Bandel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 27 May 2003 16:24:02 -0400 (EDT)
> <listmail at rotundus.com> wrote:
>
> > David A. Bandel wrote,
> > > You cannot run a script SUID. Think about it a minute and you?ll
> > > see that you don?t ever want that capability.
> > >
> > > The script runs and calls other programs/built-ins.
> >
> > I can see the need to be cautious with SUID anything, but is a script
> > really that much more dangerous than anything else running SUID?
>
> Yes. Consider: a script will run _anything_ you put in it. Now think
> of the worst stuff you could put in it. Want your users running that
> SUID? And even seemingly benign stuff, if it has a command that?s not
> fully pathed (oops), and as a user I create a similarly named malicious
> tool (and of course my PATH has $HOME/bin before the system paths) --
> sounds like a wtfo (what the frell over?) to me.
>
I miss the logic of this. An executable will also run _anything_
you put in it, and succeed if it has enough privilege. And they will
run as a Trojan if they're in your searchpath. There must be something
else that makes scripts more dangerous.
++ kevin
More information about the Linux-users
mailing list