On 13/10/2021 20:17, Denys Vlasenko wrote:
On Wed, Oct 13, 2021 at 11:56 AM Harald van Dijk <harald@xxxxxxxxxxx> wrote:
On 13/10/2021 10:39, Denys Vlasenko wrote:
Who in their right mind would have a *setuid*
shell executable on any system where security matters?
I suspect this was originally not for the benefit of setuid shell
executables, but setuid shell scripts. Linux does not support those, so
the check is considered unnecessary on Linux.
However, actually, doing something along those lines is useful even on
Linux when setuid applications can be tricked to launch shell processes
in insecure ways.
Not sourcing $ENV is nowhere near enough to ploug this hole,
Agreed.
so doing it is still pointless.
If someone were proposing to do this now, then I would agree. But the
fact that this has been in forever makes me personally think there's
nothing gained by changing it now to something we'd already know will
need changing again later: on Linux the only effect of the change would
be to cause conflicts for distros that already picked up the privmode
patches years ago.
For better or worse, what dash implements now, except for the #ifndef
linux, is specified by POSIX, by the way: "ENV shall be ignored if the
user's real and effective user IDs or real and effective group IDs are
different." That'd actually be an argument in favour of the opposite
direction: removing only the #ifndef/#endif to make sure this check is
performed on all operating systems. But as that's less secure than what
bash does, I'd still favour following bash.
Cheers,
Harald van Dijk