Re: suid script

To: Jiri Baum <jiri@baum.com.au>
Cc: Debian User Mailing List <debian-user@lists.debian.org>
Subject: Re: suid script
From: Brandon Mitchell <bhmit1@mail.wm.edu>
Date: Fri, 4 Dec 1998 17:06:43 -0500 (EST)
Message-id: <[🔎] Pine.LNX.3.96.981204170020.10890A-100000@wm7-214.resnet.wm.edu>
In-reply-to: <[🔎] E0zlxRo-0003Bq-00@legend.baum.com.au>

On Sat, 5 Dec 1998, Jiri Baum wrote:

> The way I remember it is:
> 
> 1) kernel opens the file, finds it suid
> 2) kernel executes the shell with that uid
> 3) shell opens the same filename
> 
> If some fast file-moving is done between (1) and (3), one can substitute
> something else for the suid script.
> 
> Don't forget the user can copy / link a suid script into his home directory.

Ahh, link is the thing I was looking for.  Otherwise, the person who made
the suid script would be responsible for the exploit, which wasn't making
sense to me.  I think it's probably the kernel that does the open on step
3, but it's no big difference in the point you were making.  I wonder how
other unix variants that allow suid scripts do this?  Or better question:
are there any?  This has been very interesting, thanks for all the info.

Brandon

+---                                                              ---+
| Brandon Mitchell * bhmit1@mail.wm.edu * http://bhmit1.home.ml.org/ |
|  Sometimes you have to release software with bugs. - MS Recruiter  |

Reply to:

Follow-Ups:
- Re: suid script
  - From: Jiri Baum <jiri@baum.com.au>

References:
- Re: suid script
  - From: Jiri Baum <jiri@baum.com.au>

Prev by Date: dpkg-buildpackage
Next by Date: Re: Who's the ian part in Debian?
Previous by thread: Re: suid script
Next by thread: Re: suid script
Index(es):
- Date
- Thread