In article <20040520055516.GA9277@misery.proulx.com>,
Bob Proulx <firstname.lastname@example.org> wrote:
>However, setuid shell scripts are such a security hole that they
>should never exist. Much of the time spent by the security scanners
>for unix scan for just such problems.
This is true. On most systems, it's trivial to exploit a suid
shell script. Often the shell reads ~/.bashrc or a similar file
at startup - put your exploit there and you're done. Or put it
in $BASH_ENV. Or, if the shell script doesn't reset the PATH,
just change the PATH to include a directory with your exploit
named after one of the commands that the shell calls. Then
there's the IFS exploit. etc etc etc.
For every 10 setuid shell scripts, 9 are exploitable. Maybe 10.