how to setuid for shell scripts on ultrix? (really: SETUID STRIPTS ARE A SECURITY HOLE)

[Chris Calabrese]

In article <6644 at ethz.UUCP> prl at iis.UUCP (Peter Lamb) writes:
>HOWEVER, before you dash off and start making setuid shell scripts:
>
>	SETUID SHELL SCRIPTS ARE INHERENTLY A SECURITY HOLE!
>
>		You *CAN'T* make them hackerproof.
>
>The only exceptions I know to this are Larry Wall's perl interpreter
>and Maarten Litmaat's setuid program (but make sure you get his
>*second* release, not the first, to comp.sources.unix).
>
>Since bulletproof /bin/sh and /bin/csh programs are notoriously
>difficult to write, even in the absence of the kernel problem,
>my recommendation is perl.
>Peter Lamb
>uucp:  uunet!mcsun!ethz!prl	eunet: prl at iis.ethz.ch	Tel:   +411 256 5241
>Integrated Systems Laboratory
>ETH-Zentrum, 8092 Zurich

I thought I'd throw my $.02 into this discussion.
Yes, it is possible to make them hackerproof.
This requires 2 things. First, it requires the the script itself is
secure (perl, etc help here).  Second, it requires the elimination of
the kernel problem.  This has been fixed in versions done at bell labs
(and subsequently used in the System V Release 4 kernel).

The key is that the kernel must pass a file descriptor to the script,
not merely the name of the script.  This is done by using /dev/fd and
passing the appropriate file name for the file descriptor.  Under this
scheme, since the file is never closed and a descriptor is effectively
passed, any foolings with symlinks, naming, etc as has been suggested
as the inherent security hole won't work.

Of course, it's still difficult to do the right thing with IFS, etc.
But at least this makes it _possible_ to write a 100% bullet proof
setuid script.

Name:			Christopher J. Calabrese
Brain loaned to:	AT&T Bell Laboratories, Murray Hill, NJ
att!ulysses!cjc		cjc at ulysses.att.com
Obligatory Quote:	``pher - gr. vb. to schlep.  phospher - to schlep light.philosopher - to schlep thoughts.''