Path: utzoo!dciem!nrcaer!scs!spl1!laidbak!att!ihnp4!ucbvax!bostic
From: bostic@ucbvax.BERKELEY.EDU (Keith Bostic)
Newsgroups: comp.unix.wizards
Subject: Re: setuid shell scripts
Message-ID: <24479@ucbvax.BERKELEY.EDU>
Date: 1 Jun 88 21:08:48 GMT
Article-I.D.: ucbvax.24479
References: <19045@watmath.waterloo.edu>
Organization: University of California at Berkeley
Lines: 23

In article <19045@watmath.waterloo.edu>, gamiddleton@watmath.waterloo.edu (Guy Middleton) writes:
> The following recently showed up in comp.bugs.4bsd.ucb-fixes:
> 
> 	From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic)
> 	Subject: setuid/setgid shell scripts are a security risk
> 	Index: sys/kern_exec.c 4.3BSD
>
> This seems unnecessarily drastic action.  We know what the problems with
> setuid shell scripts are; there is a simple kernel change to fix them (or
> at least, it fixes the problems we are aware of).  Why not fix the problem,
> instead of removing a useful feature from the system?

The kernel fix that you (and other people) are proposing does not fix
this particular problem.

--keith

-
-
-
-
-
-