> [ kenh writes a good description of the set-id shell script hole ]
>
> The SUIDSCRIPTS option for the kernel opens the file before it checks the
> mode bits as fd 0, and then runs "/bin/sh /dev/fd/0" (or whatever interpreter
> you specify), thus not giving anyone a chance to change what file is being
> run.

This is incorrect.  The next available file descriptor is allocated
and used for the script.  Blindly using 0 would cause problems.
("oh no, what happened to stdin!?!?" 8-)


Also, FYI, the option name is "SETUIDSCRIPTS"...  8-)



chris