Description of problem: There is no influence to run a set-user ID script whether or not option "-b" is used. Version-Release number of selected component (if applicable): tcsh-6.15.00 How reproducible: Use command "tcsh [-b]" to execute a set-user ID script. Steps to Reproduce: 1.[test@RHEL5 b]$ cat test.tcsh #!/bin/tcsh echo pass 2.[test@RHEL5 b]$ ll test.tcsh -rwsr--r-- 1 test test 23 2008-02-22 10:03 test.tcsh 3.[test@RHEL5 b]$ tcsh -b test.tcsh Pass 4.[test@RHEL5 b]$ tcsh test.tcsh pass Actual results: It outputed "pass" whether option "-b" is used. Expected results: "test.tcsh" cann't be executed when option "-b" is not used. Additional info:
Created attachment 295579 [details] This is a patch fixing the bug.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
I will propose this to upstream. -- Another test case: $ ll ./suid.sh -rwsr--r--. 1 root root 42 Jan 17 19:24 suid.sh $ cat ./suid.sh #!/bin/tcsh whoami $ whoami vvitek $ tcsh ./suid.sh vvitek # Now I would expect EACCES according to man page $ tcsh -b ./suid.sh vvitek # Now I would expect root according to man page
Proposed to upstream: http://bugs.gw.com/view.php?id=119
Upstream likely to reject the patch, as permissions of executing set-user ID script may vary from system to system.
Bugfix was successfully verified on tcsh617-6.17-5.el5 package. Description of "-b" parameter was updated.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Previously, the tcsh(1) man page stated that the shell would not run a set-user ID script without an "-b" argument. This statement was removed from the man page because it is forbidden to run set-user ID scripts in Red Hat Enterprise Linux 5.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1072.html