From owner-freebsd-ports  Mon Aug  4 23:14:02 1997
Return-Path: <owner-freebsd-ports>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id XAA22475
          for ports-outgoing; Mon, 4 Aug 1997 23:14:02 -0700 (PDT)
Received: from anugpo.anu.edu.au (anugpo.anu.edu.au [150.203.2.6])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA22467;
          Mon, 4 Aug 1997 23:13:56 -0700 (PDT)
Received: from bohm.anu.edu.au (root@bohm.anu.edu.au [150.203.21.88])
	by anugpo.anu.edu.au (8.8.5/8.8.5) with SMTP id QAA19317;
	Tue, 5 Aug 1997 16:12:43 +1000 (EST)
Received: from totoro by bohm.anu.edu.au (SMI-8.6/SMI-SVR4)
	id QAA04032; Tue, 5 Aug 1997 16:12:34 +1000
Message-Id: <3.0.32.19970805161419.00a65b08@student.anu.edu.au>
X-Sender: s3080696@student.anu.edu.au
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Tue, 05 Aug 1997 16:14:28 +1000
To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch),
        marcs@znep.com (Marc Slemko)
From: James Seng <jseng@pobox.org.sg>
Subject: Re: SetUID
Cc: freebsd@atipa.com (Atipa), jonz@netrail.net (Jonathan A. Zdziarski),
        ports@FreeBSD.ORG, security@FreeBSD.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-ports@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


At 23:50 4/08/97 +0200, J Wunsch wrote:
>As Marc Slemko wrote:
>
>> You are being very naive.  You can do an awful lot with environment
>> variables.  What would happen if you set ENV before running your wrapper?
>> /bin/sh would see it and execute whatever is in the file it points to.
>
>No longer.  $ENV should only be evaluated for interactive shells.
>Recent versions of FreeBSD's /bin/sh handle it this way (but probably
>not the version of the guy who's been asking here).
>
>> What if you set one of a couple of LD_* environment variables?  The loader
>> would see them and use whatever they point to.
>
>But that's a right point, indeed.  The loader will ignore these
>variables for the wrapper, but not for the called executables.

In other words, the shell script #!/bin/sh would not be suspetible to ENV
parsing problem but the wrapper will. The easilest (and oldest) exploited
would probably be using IFS on the posted wrapper program *8)

Look at wrapper which comes with sendmail if you really want something
which is more secure.

-James Seng