Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.bbnplanet.com!cpk-news-hub1.bbnplanet.com!EU.net!Germany.EU.net!Dortmund.Germany.EU.net!interface-business.de!usenet From: j@ida.interface-business.de (J Wunsch) Newsgroups: comp.unix.admin,comp.unix.bsd.misc Subject: Re: adduser Date: 9 Dec 1996 16:47:14 GMT Organization: interface business GmbH, Dresden Lines: 25 Message-ID: <58hfqi$87c@innocence.interface-business.de> References: <5824sf$a6v@masala.cc.uh.edu> Reply-To: joerg_wunsch@interface-business.de (Joerg Wunsch) NNTP-Posting-Host: ida.interface-business.de X-Newsreader: knews 0.9.6 X-Phone: +49-351-31809-14 X-Fax: +49-351-3361187 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Xref: euryale.cc.adfa.oz.au comp.unix.admin:51602 comp.unix.bsd.misc:1744 yichen@hermes.cs.uh.edu ( Yi Chen ) wrote: > For security purposes, no characters are printed when entering passwords. > > Insecure PATH at /etc/adm/lib/util.pl line 228, <STDIN> line 2. You need to quote at leat +/- 5 lines around this spot. > e) I also wrote a simple C program as following, compiled it and suid to > root, and same error msg as c). > 2) I also tried sudo and visudo the /etc/sudoers. RUN > /usr/local/bin/sudo /usr/sbin/adduser, got following Of course, none of them are supposed to work with Perl. :-) Perl is smarter, it detects the suidness nevertheless, and still applies the taint checks. It is _very_ wise from Perl to do so, you might have opened a can of worms otherwise. (The ``insecure path'' is a strong hint that you might get fooled by malicous users, hence you should not try working around it, but instead try making the path secure.) -- J"org Wunsch Unix support engineer joerg_wunsch@interface-business.de http://www.interface-business.de/~j