Date: Wed, 4 Aug 2004 23:17:53 +0200 (CEST) From: Wojciech Puchar <wojtek@tensor.3miasto.net> To: Bill Moran <wmoran@potentialtech.com> Cc: "Paredes =?ISO-8859-1?Q?S=E1nchez_Mart=EDn?= A." <mparedes@telmex.com> Subject: Re: The set-user-ID-on-execution Message-ID: <20040804231659.G59935@chylonia.3miasto.net> In-Reply-To: <20040804090925.0868e1e3.wmoran@potentialtech.com> References: <E3F56D7842656F4484C5668BC4D7F298042C18@is~tmxmailhmo1.intranet.telmex.com> <20040804090925.0868e1e3.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > > did I miss something? > > Yes. Scripts can't utilize setuid/setgid. > > You can rewrite the script in perl and use the setuid perl interpreter > (which is basically a workaround for this) or install sudo and give the > script the ability to call sudo before executing commands that require > elevated priviledges. or even better write this in C, or at least do wrapper in C that will make sure no "tricks" are in environment variables etc. it's quite difficult to write setuid scripts without security holes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFBEVKCVbTJCKecqu0RAguzAJ9M+MoEItfK84EpSFi/v+OBWbnQ9wCfQLe1 J87ReX6DCOhasKkqoyRTVCc= =Lj+2 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040804231659.G59935>