Re: Adding a simple editor to the base system

[Thor Lancelot Simon <tls%rek.tjls.com@localhost>]

On Sat, Feb 14, 2009 at 10:34:47AM -0500, der Mouse wrote:
> [Aleksej Saushev <asau%inbox.ru@localhost>]
> > Does [SETUIDSCRIPTS] prevent symlink attack or simply disables the
> > check?
> 
> [markucz%gmail.com@localhost]
> > I never tried it myself but my guess is [...]
> 
> I suppose actually looking to see what it does is out of the question?
> 
> I just looked.  Based on a -current source tree updated last night via
> sup, SETUIDSCRIPTS passes the script as an open fd to the shell,
> telling it to use the appropriate /dev/fd/* as the script name.

Exactly.  It works just as well as it always has.

And it has the same problem it always has: for every user who angrily
stomps his foot and shouts about what idiots the NetBSD developers must
be for not turning on setuid scripts, there's some other idiot who can't
grasp that a small change in interpreter behavior is required to cooperate
with this feature, and he can't use arbitrary programs as interpreters
for setuid scripts safely.

So it's a useful feature, but it's not safe default behavior, because
it violates people's heretofore reasonable expectations about how Unix
works in a way that can let them carelessly get themselves in trouble.

I think you could even find traffic about this on comp.unix.4bsd.bugs
from what, 20 years ago? when this was first proposed.  Sigh.

Thor