Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site brl-tgr.ARPA Path: utzoo!watmath!clyde!burl!ulysses!allegra!bellcore!decvax!genrad!teddy!panda!talcott!harvard!seismo!brl-tgr!gwyn From: gwyn@brl-tgr.ARPA (Doug Gwyn) Newsgroups: net.unix Subject: Re: 2 shell questions before the new year Message-ID: <7173@brl-tgr.ARPA> Date: Thu, 10-Jan-85 12:58:00 EST Article-I.D.: brl-tgr.7173 Posted: Thu Jan 10 12:58:00 1985 Date-Received: Sun, 13-Jan-85 07:38:24 EST References: <6820@brl-tgr.ARPA> <240@mtxinu.UUCP> <405@mcvax.UUCP> Organization: Ballistic Research Lab Lines: 8 > Unless you've fixed your kernel, if you have setuid shell scripts you > have a security hole. Don't send me mail asking what it is. One should be careful for ANY security-related code to check for loopholes. This means, in C code, argc == 0, PATH=funny_places, signals in critical places, fd 0, 1, and/or 2 not opened, etc. For shell scripts, one should ALWAYS set PATH=wherever and if security-critical set IFS=standard_whitespace and catch traps.