But the trusted interpreter could still be executed by the user
with the name of the script as argv[1]. Same for setuid...
> Any "guarding" setuid interpreter should check that what it is executing
> really should be allowed to be done, if this means checking the mount
> options then so be it, but I don't think this is neccessary.
I think this is necessary - and it is not portable. I still think
we should allow the Solaris /dev/fd hack (at least as an option).
> script that is setuid (4755)
>
> #!/usr/local/sbin/setuidexec /bin/sh
>
> cat < /etc/some_file_readable_only_by_root
>
> Putting script on vol mounted: noexec then nosuid then nosuid,noexec
> Putting the setuid guard wrapper on a mount that allows setuid and execs.
Is there anything to stop me doing this:
/usr/local/sbin/setuidexec /bin/sh script
(script is on a filesystem mounted nosuid)
This has nothing to do with filesystem type (ext2 or umsdos). Or am
I missing something here?
Marek