Aucbvax.3052
fa.unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Thu Sep 10 05:41:13 1981
Re: setuid cleared on write
>From eps@UCLA-Security Thu Sep 10 05:35:22 1981
You've totally missed the point I'm trying to make.  If I
don't want other users to write a file then I won't leave it
writable.  I find it very hard to "accidentally leave a file
writable" given that my umask is 022 and if I'm chmod'ing
something other than 644 or 755 then I do it symbolically
anyway.  It makes more sense to make a file not writable
than to put stupid kernel hacks in.  Your suggestion would
(besides inconveniencing users who have a legitimate
need/right to write files they don't own) make it more
likely that users who write set- programs will be careless
"knowing that the system will protect them."  I know of a
system that is always low on disk space, so the users have
(human-enforced) quotas.  Does this encourage people to cut
their usage?  No!  They don't bother to clean up fifty
versions of a file because someone else will do it for them.
Take some responsibility for your actions.  Don't be lulled
into a false sense of "security" because when someone DOES
break your system you're going to be in for a BIG surprise.
If you need "hand-holding" then use your Unix-given software
tools to write hand-holding user-mode programs and let the
people who are brave enough fend for themselves.  Some days
it seems that Moral Majority (inc.) has invaded my CRT as
well as my TV.

There are cheap forms of "insurance" against files being
left writable.  The easiest is some kind of "install"
program to copy your executable to /whatever/bin and
chown/chmod it appropriately.  If you're really paranoid you
could run ncheck or find on a regular basis to find each
file with set-bits and make sure the protection is
reasonable.  I don't think this is really necessary.  Ever
hear the cliche "an ounce of prevention...?" (Back when
28.34952g was worth something?)

                                       --Eric

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
The opinions expressed are solely those of the author.
"If you don't like it--don't use it"  --David I. Bell

-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <[email protected]>
of http://communication.ucsd.edu/A-News/


This Usenet Oldnews Archive
article may be copied and distributed freely, provided:

1. There is no money collected for the text(s) of the articles.

2. The following notice remains appended to each copy:

The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.

You are viewing proxied material from gopher.quux.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.