netbsd-help: Re: route default delete -- by script, not by root

Subject: Re: route default delete -- by script, not by root
To: Jeremy C. Reed <reed@reedmedia.net>
From: David Laight <david@l8s.co.uk>
List: netbsd-help
Date: 02/03/2003 11:39:59

On Mon, Feb 03, 2003 at 03:15:17AM -0800, Jeremy C. Reed wrote:
> On Sun, 2 Feb 2003, Gan Uesli Starling wrote:
> 
> > ...in it and is chown root and chmod 6770 which
> > I thought could be called by the script owned
> > by vpnuser.
> 
> You can't have setuid/setgid scripts.
> http://www.google.com/search?q=faq+setuid+scripts

What is wrong with the kernel options:

## `FDSCRIPTS' allows non-readable but executable scripts by providing a 
## pre-opened opaque file to the script interpreter.  `SETUIDSCRIPTS',
## which implies FDSCRIPTS, allows scripts to be set-user-id using the same
## opaque file mechanism.  Perl calls this "secure setuid scripts."

options        FDSCRIPTS
options        SETUIDSCRIPTS

Then you are only left with problems due to PATH and IFS (and badly
coded scripts that fail enclose anything that mighthave come from the
user in "".

	David

-- 
David Laight: david@l8s.co.uk