Re: cd with multiple arguments?

[Bob Proulx]

Marc Herbert wrote:
> Bob Proulx a écrit :
> > The shell isn't the only one that introduces a security vulnerability
> > on most systems when setuid.  All interpreters are the same in that
> > regard.  On systems where you shouldn't suid scripts then you
> > shouldn't suid any of the set of sh/perl/python/ruby scripts either.
> > I think most people would consider at least one of those in that set a
> > real programming language. :-)
> 
> None of these other languages has the same quoting complexity. You can
> find some FAQs saying: "Never setuid a shell script, use something
> less dangerous instead like Perl for instance".

I didn't say anything about quoting.  The topic here was security
vulnerabilities of an suid script.  For example the classic race
condition between stat'ing the #! interpreter and launching the
privileged process on the file.  If the system has that behavior then
any #! interpreter (including non-interpreters such as 'ls') are
vulnerable to an attack of slipping a different interpreter in at the
last moment.

That has nothing to do with quoting and is not specific to any
particular interpreter.  All that is required is that it not be
directly machine executable binary code such that exec(2) can't invoke
it directly but must instead invoke the specified program upon it.

If an FAQ reports that using Perl is okay to be setuid in that
environment then I think it is wrong.  Or at least not completely
general and portable because it is certainly dangerous on Unix
systems.  But it has been so many years since I have looked at that
problem that I don't remember the details.  I do remember using the
exploit on HP-UX systems years ago but I don't remember the specific
behavior here of all of the different kernels in popular use.  Please
don't make me expend precious brain cells remembering it.

Bob