Bash scripting question
Roger Oberholtzer
roger
Mon May 17 11:47:53 PDT 2004
On Tue, 27 May 2003 21:12:48 -0700 (PDT)
"Kevin O'Gorman" <kevin at kosmanor.com> wrote:
> On Tue, 27 May 2003, David A. Bandel wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Tue, 27 May 2003 16:24:02 -0400 (EDT)
> > <listmail at rotundus.com> wrote:
> >
> > > David A. Bandel wrote,
> > > > You cannot run a script SUID. Think about it a minute and you?ll
> > > > see that you don?t ever want that capability.
> > > >
> > > > The script runs and calls other programs/built-ins.
> > >
> > > I can see the need to be cautious with SUID anything, but is a
> > > script really that much more dangerous than anything else running
> > > SUID?
> >
> > Yes. Consider: a script will run _anything_ you put in it. Now think
> > of the worst stuff you could put in it. Want your users running that
> > SUID? And even seemingly benign stuff, if it has a command that?s not
> > fully pathed (oops), and as a user I create a similarly named
> > malicious tool (and of course my PATH has $HOME/bin before the system
> > paths) -- sounds like a wtfo (what the frell over?) to me.
> >
>
> I miss the logic of this. An executable will also run _anything_
> you put in it, and succeed if it has enough privilege. And they will
> run as a Trojan if they're in your searchpath. There must be something
> else that makes scripts more dangerous.
Only that a script is more easily changed than a compiled program. Just an
editor will do. Of course, it requires that someone has write permissions
on the script. Just be sure to do chmod a-w on the script.
>
> ++ kevin
>
> _______________________________________________
> Linux-users mailing list
> Linux-users at linux-sxs.org
> Unsubscribe/Suspend/Etc ->
> http://www.linux-sxs.org/mailman/listinfo/linux-users
>
More information about the Linux-users
mailing list