L
Lawrence D'Oliveiro
How?
Systems which allow set-uid scripts also usually support referring to open
file descriptors n via a pathname like /dev/fd/n. This might be done by
mounting a special pseudo-filesystem (fdfs) on /dev/fd. (This was how I
remember it being done on DEC UNIX.)
So when a the kernel detects that an executable file is actually a script,
it opens the script file on some file descriptor n, and passes the
name /dev/fd/n to the script interpreter, instead of the original script
pathname. That way, there is no opportunity for deceiving the process into
executing the wrong script with set-uid privileges.