[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Set UID bit on files

From: Eric Siegerman
Subject: Re: Set UID bit on files
Date: Thu, 12 Jul 2001 12:37:23 -0400
User-agent: Mutt/1.2.5i

On Thu, Jul 12, 2001 at 03:19:46PM +1000, Cheyne Wagner wrote:
> I have some shell scripts that I need a setuid bit on the file for when it 
> executes.

This is a bad idea -- setuid shell scripts are dangerous:
 1. In some Unix kernels, there's a race condition in the
    exec'ing of files other than load modules (i.e. text files
    that use the #! mechanism), which can let an attacker
    convince the kernel to run his own script setuid.

 2. Even absent the above kernel bug, shell scripts depend on
    external programs to do most of their real work; a setuid
    shell script is susceptible to security bugs in *all* of
    those external programs, not just in the shell and the script

(Setuid Perl scripts, btw, are less susceptible to (2), since
with a bit of care one can do everything in Perl without shelling
out, but they're still susceptible to (1)).

All that being said, though:

> [...] is there a way I can configure the CVS server to store this 
> bit so all copies have the set uid bit on the file?

No.  There used to be a PreservePermissions mechanism, but:
  - It's no longer supported (search the list archives for much
    discussion on the topic)

  - I don't think it ever preserved setuid or setgid (at least,
    an old version of the manual doesn't list those as among
    the attributes it preserved)


|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.        address@hidden
|  |  /
With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea.
        - RFC 1925 (quoting an unnamed source)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]