Solaris SignalsFeb 12 2003 03:21AM Jon Masters (jonathan jonmasters org) (1 replies)
Hi,
We all know that old chestnut about tracing setuid programs or scripts,
but what about non-setuid scripts which have been installed for users and
given execute only permission. For example, a lot of sites provide scripts
for users to run which perform some admin related function and thus have
usernames or passwords within them - potentially free to users.
The thing I want to do is make a few people think about fixing this by
taking whatever steps are necessary on a per-installation basis. It is a
silly kind of thing which seems to be overlooked all too often. There is
some trivial code attached for those who really do not see my point.
This is bound to be covered somewhere, I just want to get viewpoints.
We all know that old chestnut about tracing setuid programs or scripts,
but what about non-setuid scripts which have been installed for users and
given execute only permission. For example, a lot of sites provide scripts
for users to run which perform some admin related function and thus have
usernames or passwords within them - potentially free to users.
The thing I want to do is make a few people think about fixing this by
taking whatever steps are necessary on a per-installation basis. It is a
silly kind of thing which seems to be overlooked all too often. There is
some trivial code attached for those who really do not see my point.
This is bound to be covered somewhere, I just want to get viewpoints.
Jon.
[ reply ]