tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: setuid scripts (Christos Zoulas) writes:

> In article <>, Aleksej Saushev  
> <> wrote:
>>Alan Barrett <> writes:
>>> On Sat, 14 Feb 2009, Aleksej Saushev wrote:
>>>> > I think you can run setuid scripts if you build a custom kernel with
>>>> > SETUIDSCRIPTS enabled.
>>>> Does it prevent symlink attack or simply disables the check?
>>> AFAIK it works properly, by passing the script to the shell using an
>>> open file descriptor, named via /dev/fd/${number}.  I have no idea why
>>> it's disabled by default.
>>Any reason to keep it disabled?
> People who write setuid shell scripts usually don't know what they are doing?

What I see in practice, is that they simply work around the check by
implementing setuid binary wrapper instead of learning how to write
correct scripts (those are _not_ shell ones in many cases).


Home | Main Index | Thread Index | Old Index