Galevsky wrote:
> When user3 will launch the script later, he will get the user1
> permissions thanks to the setguid flag on the script, and will be able
Setuid scripts are a security hole! It is almost impossible to
prevent anyone from becoming the owner of the script in those cases.
Better would be to write a very small C program that does nothing but
launch the script and make the binary program setuid. That avoids
most of the trouble.
Bob
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc,char **argv)
{
/* FIXME: This list is still insufficient. */
putenv("PATH=/usr/bin:/bin");
putenv("IFS= \t\n");
putenv("ENV=");
setuid(geteuid());
execv("/path/to/MYSCRIPT",argv);
fprintf(stderr,"Could not execute script /path/to/MYSCRIPT\n");
perror("exec");
return 1;
}
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org