Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site rlgvax.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!bellcore!decvax!genrad!teddy!panda!talcott!harvard!seismo!rlgvax!guy From: guy@rlgvax.UUCP (Guy Harris) Newsgroups: net.unix-wizards Subject: Re: Security and set[ug]id shell scripts (how #! works) Message-ID: <365@rlgvax.UUCP> Date: Thu, 17-Jan-85 14:23:27 EST Article-I.D.: rlgvax.365 Posted: Thu Jan 17 14:23:27 1985 Date-Received: Mon, 21-Jan-85 01:24:12 EST References: <7462@brl-tgr.ARPA> Organization: CCI Office Systems Group, Reston, VA Lines: 36 > 4.2 does have a mechanism that if the magic number of a file happens to > correspond to "#!" the kernel then reads for the rest of the line and > uses that as the program to exec. The setuid bits get applied to that > program (not necessarily the shell). The standard input gets redirected > to the file (the manual is wrong). No, the manual is correct. It says "An interpreter file begins with a line of the form ``#! interpreter''; when an interpreter file is "execve"d, the system "execve"s the specified "interpreter", giving it the name of the originally exec'd file as an argument, shifting over the rest of the original arguments." The following interpreter file: #! /bin/echo when named "putz" and run as "putz foo bar", prints "putz foo bar". The reason this doesn't confuse a shell script (i.e., that the script #! /bin/sh echo '$0 =' "$0" echo "$@" cat >/tmp/stuff (which reads from the terminal, not from the script file, in the "cat" command) when called "futz" and run as "futz foo bar" prints "foo bar" on the second echo line) is that the shell is run as /bin/sh futz foo bar and takes "futz" as the script to run and "foo" and "bar" as the arguments to pass to it. The only code in "kern_exec.c" that does anything with file descriptors is the code that does close-on-exec. Guy Harris {seismo,ihnp4,allegra}!rlgvax!guy