On Tue, 27 May 2003, David A. Bandel wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 27 May 2003 16:24:02 -0400 (EDT) > <[EMAIL PROTECTED]> wrote: > > > David A. Bandel wrote, > > > You cannot run a script SUID. Think about it a minute and youīll > > > see that you donīt ever want that capability. > > > > > > The script runs and calls other programs/built-ins. > > > > I can see the need to be cautious with SUID anything, but is a script > > really that much more dangerous than anything else running SUID? > > Yes. Consider: a script will run _anything_ you put in it. Now think > of the worst stuff you could put in it. Want your users running that > SUID? And even seemingly benign stuff, if it has a command thatīs not > fully pathed (oops), and as a user I create a similarly named malicious > tool (and of course my PATH has $HOME/bin before the system paths) -- > sounds like a wtfo (what the frell over?) to me. >
I miss the logic of this. An executable will also run _anything_ you put in it, and succeed if it has enough privilege. And they will run as a Trojan if they're in your searchpath. There must be something else that makes scripts more dangerous. ++ kevin _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
