Date: Sat, 29 Aug 2009 00:06:29 -0700 From: perryh@pluto.rain.com To: mdc@prgmr.com Cc: freebsd-questions@freebsd.org Subject: Re: SUID permission on Bash script Message-ID: <4a98d375.W9fcoTOIN1DqRk/3%perryh@pluto.rain.com> In-Reply-To: <4A98A8A1.7070305@prgmr.com> References: <beaf3aa50908280124pbd2c760v8d51eb4ae965dedc@mail.gmail.com> <87y6p4pbd0.fsf@kobe.laptop> <20090829022431.5841d4de@gumby.homeunix.com> <4A98A8A1.7070305@prgmr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael David Crawford <mdc@prgmr.com> wrote: > It's not that setuid shell scripts are really more > inherently insecure than programs written in C. Actually, absent some careful cooperation between the kernel and the interpreter to prevent a race condition that can cause the interpreter to run (with elevated permissions) a completely different script than the one that was marked setuid, setuid scripts _are_ insecure in a way that _cannot_ be fixed by any degree of care that might be taken in the writing of the script. Check the hackers@ archives. It was discussed a little over a month ago.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4a98d375.W9fcoTOIN1DqRk/3%perryh>