On Mon, 01 Dec 2025 12:53:10 -0600 "Eric W. Biederman" ebiederm@xmission.com wrote:
Roberto Sassu roberto.sassu@huaweicloud.com writes:
...
There is the partial solution of passing /dev/fd instead of passing the name of the script. I suspect that would break things. I don't remember why that was never adopted.
I thought that was what was done - and stopped the problem of a user flipping a symlink between a suid script and one the user had written.
It has only ever been done for suid scripts when the uid actually changes. Which makes it possible to set the permissions so that owner can't run the script! (The kernel only needs 'x' access, the shell needs 'r' access, so with 'x+s' the owner can't execute the script but everyone else can.)
There is a much older problem that probably only affected the original 1970s 'sh' (not even the SVSV/Sunos version) that quoted redirects on the command line would get actioned when the parameter was substituted - which I think means the original 'sh' did post-substitution syntax analysis (the same as cmd.exe still does). That doesn't affect any shells used since the early 1980s.
David