|
|
Potential warning: 10.3.9 disables SUID/SGID flag
My opinion: this is really, really stupid. What's next, refusal to accept wildcards in rm(1) commands?
Here's the situation as I see it: you can still use chmod to set the suid bit on any file, including scripts. If you execute #! script, its suid bit is ignored. If you execute a shell script without a #!, then bash & csh ignore the suid bit, but ksh hangs or gives a bus error. You can still easily write & compile a one-line shim along the lines of and setuid on its binary to run "myscript", which can still be a #! script.
Since this is a (minor) hassle, it will lead to the temptation to write a more general script that will allow any program to be run suid; if anyone succumbs to that temptation (and I bet some will do so), the result will be a much worse security problem. What is gained by this? Greg Shenaut
Potential warning: 10.3.9 disables SUID/SGID flag
No, you can't use chmod to set the setuid bit on any file. You can only do it on files you own, and thus an unprivileged user cannot create a setuid binary with escalated privileges as you describe. You can create setuid binaries that run as your own user all day long, and I'd hardly consider this a "much worse security problem."
Potential warning: 10.3.9 disables SUID/SGID flag
My point is that the change does not reduce security since it it trivial to get past it, and it may worsen security by creating the temptation to construct a general work-around which would, by its generality, open doors that are now closed.
Here's a ksh script I wrote called "shuid" that restores much of the previous functionality and does not, I think, reduce security:
What this does is to hide the actual script away in the user's home directory and replace it with a binary compiled to do nothing but to call the script in its new home. It then sets executable and suid on the binary.
Greg Shenaut
Potential warning: 10.3.9 disables SUID/SGID flag
Why not just 'sudo script'? |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysNo new commentsLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.09 seconds |
|