> Ei, though if I'm not mistaken, fairly secure #!-ed scripts can be
> written, if one sets up a binary wrapper (or sudo, generically), to
> eliminate the symlink attack.
True. I was only warning against setuid scripts, not setuid programs
in general.
> In other words, as long as you do nothing incautious like invoking an
> editor or a mail program from your script, you would probably be safe
> with a setuid C program that does nothing but exec your non-setuid
> python script (that obtains increased/altered permission from its
> parent process)...
There are a couple more things you need to be wary of. For instance
you should nuke all LD_* environment variables in your wrapper. This
is another potential hole on for instance Sun systems. Something else
you may want to do in your wrapper is setting PATH, CDPATH, IFS, and
ENV environment variables to innocent values (are there more?).
I have written a template wrapper that makes it easier not to forget
these things. If anyone wants it, just ask.
Sjoerd Mullender
CWI, dept. CST, Kruislaan 413, 1098 SJ Amsterdam, Netherlands
email: Sjoerd.Mullender@cwi.nl fax: +31 20 592 4199
phone: +31 20 592 4127 telex: 12571 mactr nl