Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!network.ucsd.edu!pravda.sdsc.edu!news.cerf.net!usc!cs.utexas.edu!uunet!world!ksr!jfw@ksr.com From: jfw@ksr.com (John F. Woods) Newsgroups: comp.os.386bsd.bugs Subject: Re: SUID BUG! -- There back! Message-ID: <27957@ksr.com> Date: 14 Jun 93 12:02:31 EDT References: <crt.739809100@tiamat.umd.umich.edu> <CGD.93Jun11103630@eden.CS.Berkeley.EDU> <crt.739850733@tiamat.umd.umich.edu> Sender: news@ksr.com Organization: Kendall Square Research Corp. Lines: 17 crt@tiamat.umd.umich.edu (Rob Shady) writes: >cgd@eden.CS.Berkeley.EDU (Chris G. Demetriou) writes: >>In article <crt.739809100@tiamat.umd.umich.edu> crt@tiamat.umd.umich.edu (Rob Shady) writes: >>(i hope so; setuid shell scripts are currently disallowed >>for security reasons, in both 386bsd and NetBSD.) >Ah, okay.. That isn't very cool. Whose security??? There are alot of SUID >shell scripts that I need to be able to work. Whose security? Your system's security; it isn't hard for a random user to become root given the existance of one SUID shell script and any of the obvious implementations of SUID shell scripts. perl has a scheme for enabling setuid perl scripts to work (which it does indirectly, without kernel support). If you really need SUID scripts to work, investigate that solution. Don't "fix" the kernel to enable SUID scripts unless you *really*, *really* trust everyone who learns the phone number for your modem.