> Darren J Moffat:
> > In the noexec case it isn't a problem because the script couldn't have
> > been executed to start the trusted interpreter in the first place.
>
> But the trusted interpreter could still be executed by the user
> with the name of the script as argv[1]. Same for setuid...
see below.
> I think this is necessary - and it is not portable. I still think
> we should allow the Solaris /dev/fd hack (at least as an option).
I thought so for a while as well and think that the setuidexec solution is
much much better. In fact better still wait until I've finished
implementing POSIX.6 and then the problem is better solved.
> Is there anything to stop me doing this:
>
> /usr/local/sbin/setuidexec /bin/sh script
>
> (script is on a filesystem mounted nosuid)
>
> This has nothing to do with filesystem type (ext2 or umsdos). Or am
> I missing something here?
yes, the code to setuidexec, it won't work like this,
$ setuidexec /bin/sh cat ~
cat: No such file or directory
$ setuidexec /bin/sh
Syntax error while executing setuidexec
Usage: #! setuidexec <shell>
The reason for this is the setuidexec program (as posted in this list)
does the /dev/fd hack that Solaris 2.x does exactly _and_ checks the
permisons of the script _and_ creates a minimal standard environment _and_
can't be run unless it is called via a #! mechanism.
[If you missed the code I'll mail it to you if you like]
-- Darren J Moffat "Veni, Vidi, Dolavi"