Bash scripting question

[David Aikema]

On Tuesday, May 27, 2003, at 09:12  PM, Kevin O'Gorman wrote:
>> Yes.  Consider: a script will run _anything_ you put in it.  Now think
>> of the worst stuff you could put in it.  Want your users running that
>> SUID?  And even seemingly benign stuff, if it has a command that?s not
>> fully pathed (oops), and as a user I create a similarly named 
>> malicious
>> tool (and of course my PATH has $HOME/bin before the system paths) --
>> sounds like a wtfo (what the frell over?) to me.
>
> I miss the logic of this.  An executable will also run _anything_
> you put in it, and succeed if it has enough privilege.  And they will
> run as a Trojan if they're in your searchpath. There must be something
> else that makes scripts more dangerous.

I suppose that a lot of the stuff that you might need to resort to 
various programs like awk for in a script, in a compiled program you 
would be calling instead various library functions.  Upon building of 
the application you link it with the library eliminating some of the 
security risk and the need for calling everything by the full pathname 
in your code.

That said, if you're careful about it, I don't see a big problem with 
using scripts if you're extremely careful about it, as you should be 
with anything of this nature.

The issue that I've run into is my script needs to in turn execute 
another script, which I'm not supposed to be changing, to complete the 
task.  IIRC the script in question was written in tcsh and takes the 
same action that I witnessed in bash when an attempt is made to run it 
SUID.

David Aikema