On Tue, 27 May 2003 21:12:48 -0700 (PDT) "Kevin O'Gorman" <[EMAIL PROTECTED]> wrote:
> On Tue, 27 May 2003, David A. Bandel wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Tue, 27 May 2003 16:24:02 -0400 (EDT) > > <[EMAIL PROTECTED]> wrote: > > > > > David A. Bandel wrote, > > > > You cannot run a script SUID. Think about it a minute and youīll > > > > see that you donīt ever want that capability. > > > > > > > > The script runs and calls other programs/built-ins. > > > > > > I can see the need to be cautious with SUID anything, but is a > > > script really that much more dangerous than anything else running > > > SUID? > > > > Yes. Consider: a script will run _anything_ you put in it. Now think > > of the worst stuff you could put in it. Want your users running that > > SUID? And even seemingly benign stuff, if it has a command thatīs not > > fully pathed (oops), and as a user I create a similarly named > > malicious tool (and of course my PATH has $HOME/bin before the system > > paths) -- sounds like a wtfo (what the frell over?) to me. > > > > I miss the logic of this. An executable will also run _anything_ > you put in it, and succeed if it has enough privilege. And they will > run as a Trojan if they're in your searchpath. There must be something > else that makes scripts more dangerous. Only that a script is more easily changed than a compiled program. Just an editor will do. Of course, it requires that someone has write permissions on the script. Just be sure to do chmod a-w on the script. > > ++ kevin > > _______________________________________________ > Linux-users mailing list > [EMAIL PROTECTED] > Unsubscribe/Suspend/Etc -> > http://www.linux-sxs.org/mailman/listinfo/linux-users > _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
