Bugtraq mailing list archives
Re: Why you should avoid world-writable directories
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 23 Dec 1998 09:28:35 +1100
In some mail from Ben Laurie, sie said:
D. J. Bernstein wrote:Certainly setuid programs require a great deal of care. They've been involved in many security disasters, though far fewer than (for example) world-writable directories. The security community would love to see another portable IPC mechanism offering guaranteed user identification. (I suggest that kernels add a getpeeruid() system call, showing the real uid that called connect(), for UNIX-domain sockets and for loopback TCP sockets.) However, while we're waiting, we need a few setuid programs.What's wrong with the LOCAL_CREDS option on UNIX domain sockets?
In a way, that is exactly the type of thing he is referring to, BUT, LOCAL_CREDS must be supplied to be received as opposed to just "looked up" with getpeeruid() (my understanding anyway). Darren
Current thread:
- Re: Why you should avoid world-writable directories Ben Laurie (Dec 22)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Rich Burroughs (Dec 22)
- Re: Why you should avoid world-writable directories Wietse Venema (Dec 22)
- <Possible follow-ups>
- Re: Why you should avoid world-writable directories Nick Maclaren (Dec 22)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Alan Cox (Dec 24)
- Administrivia Aleph One (Dec 26)
- Nlog 1.1b released - security holes fixed HD Moore (Dec 26)
- referer problems... Spencer Portee - Yard Productions (Dec 26)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
- Re: Why you should avoid world-writable directories Bill Paul (Dec 26)
(Thread continues...)