Aucbvax.3107
fa.unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Sat Sep 12 01:15:02 1981
Problems with turning off setuid
>From MathStat.jmrubin@Berkeley Sat Sep 12 00:52:45 1981
From csvax:unix-wizards Fri Sep 11 21:23:14 1981
Subject: Problems with turning off setuid
Newsgroups: fa.unix-wizards
>From decvax!duke!unc!smb@Berkeley Fri Sep 11 21:04:18 1981
In-real-life: Steven M. Bellovin
Location: University of North Carolina at Chapel Hill
Although I feel that Berkeley's practice is indeed a reasonable
protection scheme, it can cause problems. For example, I sometimes
create setuid programs that have group-write permission. To test a
new version, I can just copy the file into it, without having to 'su'
each time. Assuming that /etc/group is secure (or no less secure than
/etc/passwd, at any rate), there is no security risk.
I don't think that group security is as strong as individual security.
On at least some systems, the empty core-dump from a setgid program can be
made into a setgid program to fork a shell. (or do anything else)
Thus, if you have this system, you may give someone the total
permissions which the owner of the setuid program has.
By the way, we seem to be getting all messages from Steven Bellovin
in duplicate or triplicate. Anyone know why?
Joel Rubin
-----------------------------------------------------------------
gopher://quux.org/ conversion by John Goerzen <
[email protected]>
of
http://communication.ucsd.edu/A-News/
This Usenet Oldnews Archive
article may be copied and distributed freely, provided:
1. There is no money collected for the text(s) of the articles.
2. The following notice remains appended to each copy:
The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996
Bruce Jones, Henry Spencer, David Wiseman.
