[TUHS] Set-uid shell scripts
norman at oclsc.org
Mon Aug 5 07:18:45 AEST 2019
I wonder why it passed the link name, instead of the actual filename of the
target (script)? Perhaps to allow one script to have multiple functions,
depending on the name it was called with?
In fact the latter is still used here and there in standard
But from a security viewpoint it doesn't matter. For
ln -s /bin/scriptname ./-i
execl("/bin/scriptname", "-i", (char *)0);
If you can execute a program, you can fake its arguments,
including argv. There is no defence.
More information about the TUHS