develooper Front page | perl.perl5.porters | Postings from January 2012

Re: Shebang line parsing mystery

Thread Previous | Thread Next
From:
Andy Dougherty
Date:
January 17, 2012 05:32
Subject:
Re: Shebang line parsing mystery
Message ID:
alpine.DEB.2.00.1201170830020.22230@fractal.phys.lafayette.edu
On Tue, 17 Jan 2012, Andy Dougherty wrote:

> On Mon, 16 Jan 2012, Rafael Garcia-Suarez wrote:

> If I recall correctly, 'indir' was a program designed to indirectly 
> execute other programs.  My recollection is that it was supposed to be 
> particularly useful in setuid situations where the OS didn't natively 
> provide you much help, and/or perhaps in situations where the OS kernel 
> limited you to 32 character command lines.

Ah, here it is:

 http://ftp.sunet.se/pub/usenet/ftp.uu.net/comp.sources.unix/volume21/indir.gz

Here is the basic description:

Subject:  v21i031:  Safe way to run setuid shell scripts
Newsgroups: comp.sources.unix
Approved: rsalz@uunet.UU.NET
X-Checksum-Snefru: 4f572b9c 2ce9cfdd 5b62cea8 69ef7415

Submitted-by: Maarten Litmaath <maart@cs.vu.nl>
Posting-number: Volume 21, Issue 31
Archive-name: indir

Suppose you want everyone to be able to remove some lockfile, but you don't
want its directory to be world-writable.  Isn't it ridiculous you'd have to
write a setuid C program to do the equivalent of the following shell script?

	#!/bin/sh
	/bin/rm /some/directory/lockfile

The problem: making this shell script setuid creates a security hole (see
the file `setuid.txt').  The solution: indir(1).  Using this program the
script would be setuid and look like this:

	#!/bin/indir -u
	#?/bin/sh /safe/path/to/this/script
	/bin/rm /some/directory/lockfile


-- 
    Andy Dougherty		doughera@lafayette.edu

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About