develooper Front page | perl.perl5.porters | Postings from January 2012

Re: Shebang line parsing mystery

Thread Previous | Thread Next
From:
Rafael Garcia-Suarez
Date:
January 17, 2012 06:34
Subject:
Re: Shebang line parsing mystery
Message ID:
CAMoYMM-FhodGfGvGCkxGTFaZDScMgAZZ8y_axWfE++fxqOdXOw@mail.gmail.com
On 17 January 2012 14:32, Andy Dougherty <doughera@lafayette.edu> wrote:
> On Tue, 17 Jan 2012, Andy Dougherty wrote:
>
>> On Mon, 16 Jan 2012, Rafael Garcia-Suarez wrote:
>
>> If I recall correctly, 'indir' was a program designed to indirectly
>> execute other programs.  My recollection is that it was supposed to be
>> particularly useful in setuid situations where the OS didn't natively
>> provide you much help, and/or perhaps in situations where the OS kernel
>> limited you to 32 character command lines.
>
> Ah, here it is:
>
>  http://ftp.sunet.se/pub/usenet/ftp.uu.net/comp.sources.unix/volume21/indir.gz

I am impressed ! Thanks for digging that out.
I'll push (later) a patch to remove the "indir" special-case.
As for the decision of deprecating (or cutting off) the whole
exec-what's-on-the-shebang functionality, I'll wait for informed
advice.

> Here is the basic description:
>
> Subject:  v21i031:  Safe way to run setuid shell scripts
> Newsgroups: comp.sources.unix
> Approved: rsalz@uunet.UU.NET
> X-Checksum-Snefru: 4f572b9c 2ce9cfdd 5b62cea8 69ef7415
>
> Submitted-by: Maarten Litmaath <maart@cs.vu.nl>
> Posting-number: Volume 21, Issue 31
> Archive-name: indir
>
> Suppose you want everyone to be able to remove some lockfile, but you don't
> want its directory to be world-writable.  Isn't it ridiculous you'd have to
> write a setuid C program to do the equivalent of the following shell script?
>
>        #!/bin/sh
>        /bin/rm /some/directory/lockfile
>
> The problem: making this shell script setuid creates a security hole (see
> the file `setuid.txt').  The solution: indir(1).  Using this program the
> script would be setuid and look like this:
>
>        #!/bin/indir -u
>        #?/bin/sh /safe/path/to/this/script
>        /bin/rm /some/directory/lockfile
>
>
> --
>    Andy Dougherty              doughera@lafayette.edu

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About