-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 27 May 2003 16:24:02 -0400 (EDT)
<[EMAIL PROTECTED]> wrote:
> David A. Bandel wrote,
> > You cannot run a script SUID. Think about it a minute and you�ll
> > see that you don�t ever want that capability.
> >
> > The script runs and calls other programs/built-ins.
>
> I can see the need to be cautious with SUID anything, but is a script
> really that much more dangerous than anything else running SUID?
Yes. Consider: a script will run _anything_ you put in it. Now think
of the worst stuff you could put in it. Want your users running that
SUID? And even seemingly benign stuff, if it has a command that�s not
fully pathed (oops), and as a user I create a similarly named malicious
tool (and of course my PATH has $HOME/bin before the system paths) --
sounds like a wtfo (what the frell over?) to me.
Ciao,
David A. Bandel
- --
Focus on the dream, not the competition.
Nemesis Racing Team motto
GPG key autoresponder: mailto:[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE+0/s/j31PLQNUbV4RAgB3AJ4jySFpKxjboKMSM6bUBBRs4wCj/QCffXoE
bf9fjoMywDOPDRusBsixrH0=
=uz7X
-----END PGP SIGNATURE-----
_______________________________________________
Linux-users mailing list
[EMAIL PROTECTED]
Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
