+ If software creates mode 666 files (read and write by all) and owned by
+ root, is it possible for a third party to edit the file (provided it is
+ text) and do a `sh <filename>` to run it as root?
A root owned file wo the suid bit set will run under the calling
user's uid, so one couldn't modify this file and execute it themselves
to get root access.
However, if this is a script that is called by root (via an unthinking
sysadmin, cron job, other program) then there could certainly be a
problem. I've often seen programs that are group or world writable
that are called from cron because the admin doesn't want to have to
su to edit them. This of course is a bad thing, and various
host security programs will notice and flag this.
Note also that on many machines you can disable the ability to run
suid shell scripts, ie it runs as the calling user regardless of the
suid bit. This is a good configuration, IMHO, since there are too
many problems with suid shell scripts anyway.
Systems and Security Engineer
Onsight, Inc. http://www.avue.com/