Shell Scropts

[Michael A. Peters]

On Fri, 2005-04-15 at 16:33 +0900, Mark Sargent wrote:

> Hi All,
> 
> a little curious about this now. If a user downloads a bin or script 
> file that is coded to attack a system, and the local user can set 
> execution, the executed file won't damage the system due to it not being 
> a root file, yes..? Have I got that correct..? Hope so. Cheers.

Unless it knows about a local exploit on the system that allows it to
jump privileges, it will only be able to run with the permissions of the
user that executed it.

It could do some damage to your user files, it could also start an inode
bomb etc., but it won't be able to modify or delete anything that the
user running it is not allowed to modify/delete.

This is why you should not run as root.

In fact (and OT) - I think the common practice of running as admin in OS
X is directly responsible for why users have to repair permissions so
much - I don't know for sure, but I never have that problem on OS X -
everyone else does, I don't. I don't run as admin on OS X, so my normal
user doesn't have permission to mess up permissions - and thus, apps I
run don't either.