Re: Less confused...
I read it again
I'm glad to see someone read the actual whitepaper (assuming that's what you meant). Clearly many of the comments in this forum are from people who couldn't spare a couple of minutes to do so, and instead thought they'd go ahead and post idiotic and irrelevant crap.
If the script is owned by root
No. Ownership of the script doesn't matter.1 The effective UID under which it's running is the key.
Note, too, that it's not simply an exposure for the superuser. There are various possible exploits against other non-privileged users which may be of interest to attackers who simply want access to data they shouldn't have.
If the script is owned by root, a rogue script could be run/sourced by the "evil" expansion and that will mean that the rogue script could be used to escalate privileges or do bad things.
That's one possibility, though it's not the main one the whitepaper discusses. Its authors are more fond of the filename-as-option vector.
1Prolepsis: The exec(2) implementations in modern UNIXes generally ignore the setuid bit on interpreter ("script") files.
Biting the hand that feeds IT
