Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site rlgvax.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!bellcore!decvax!genrad!teddy!panda!talcott!harvard!seismo!rlgvax!guy
From: guy@rlgvax.UUCP (Guy Harris)
Newsgroups: net.unix-wizards
Subject: Re:  Security and set[ug]id shell scripts (how #! works)
Message-ID: <365@rlgvax.UUCP>
Date: Thu, 17-Jan-85 14:23:27 EST
Article-I.D.: rlgvax.365
Posted: Thu Jan 17 14:23:27 1985
Date-Received: Mon, 21-Jan-85 01:24:12 EST
References: <7462@brl-tgr.ARPA>
Organization: CCI Office Systems Group, Reston, VA
Lines: 36

> 4.2 does have a mechanism that if the magic number of a file happens to
> correspond to "#!" the kernel then reads for the rest of the line and
> uses that as the program to exec.  The setuid bits get applied to that
> program (not necessarily the shell).  The standard input gets redirected
> to the file (the manual is wrong).

No, the manual is correct.  It says "An interpreter file begins with a
line of the form ``#! interpreter''; when an interpreter file is "execve"d,
the system "execve"s the specified "interpreter", giving it the name of
the originally exec'd file as an argument, shifting over the rest of
the original arguments."

The following interpreter file:

	#! /bin/echo

when named "putz" and run as "putz foo bar", prints "putz foo bar".  The
reason this doesn't confuse a shell script (i.e., that the script

	#! /bin/sh
	echo '$0 =' "$0"
	echo "$@"
	cat >/tmp/stuff

(which reads from the terminal, not from the script file, in the "cat"
command) when called "futz" and run as "futz foo bar" prints "foo bar"
on the second echo line) is that the shell is run as

	/bin/sh futz foo bar

and takes "futz" as the script to run and "foo" and "bar" as the arguments
to pass to it.  The only code in "kern_exec.c" that does anything with
file descriptors is the code that does close-on-exec.

	Guy Harris
	{seismo,ihnp4,allegra}!rlgvax!guy