home *** CD-ROM | disk | FTP | other *** search
- From: prl@iis.ethz.ch (Peter Lamb)
- Newsgroups: alt.sources
- Subject: Re: sux, an enhancer for su
- Message-ID: <prl.672649640@iis>
- Date: 26 Apr 91 07:07:20 GMT
-
- peltz@cerl.uiuc.edu (Steve Peltz) writes:
- >WILL work, wouldn't the following one-line shell script do just as well?
-
- N O O O O O O O O !!!!!!
-
- >Maybe there's a reason; maybe the "groups" command is Sun specific or
- >something...
-
- No.
-
- >Don't forget to change it to be owned by root and setuid and executable...
-
- If I can execute a setuid root script I can become root (independent of
- its contents). So can a very large range of other people. Some of them
- not friendly enough to warn you about it.
-
- >Sorry - not in shar format; why put in an extra 20 lines to wrap 2?
-
- >#!/bin/sh
- >groups | grep -s wheel && su $* || echo Sorry
-
- Don't do it !
-
- Don't install this script. Don't make it set{uid,gid}.
-
- Setuid shell scripts are security holes!
-
-
- --
- Peter Lamb
- uucp: uunet!mcsun!ethz!prl eunet: prl@iis.ethz.ch Tel: +411 256 5241
- Integrated Systems Laboratory
- ETH-Zentrum, 8092 Zurich
-
