Bugtraq mailing list archives
Re: Tracing by uid u after root does setuid(u)
From: spaf () CS PURDUE EDU (Gene Spafford)
Date: Wed, 13 Jan 1999 21:35:21 -0500
Isn't this a bit of a stretch?
Many programs that use setuid() can be exploited this way. For example, you lose all security if you use the chdir()/setuid() mechanism suggested by Steve Bellovin and Gene Spafford.
*All* security? Maybe I'm particularly dense this evening, but I don't see how tracing execution causes you to lose "all security" unless you are defining that term very differently from the way I do. --spaf
Current thread:
- Re: Anonymous Qmail Denial of Service, (continued)
- Re: Anonymous Qmail Denial of Service Wietse Venema (Jan 10)
- Keeping Solaris up-to-date John RIddoch (Jan 11)
- Keeping any up-to-date? Randolf-Heiko Skerka (Jan 13)
- Re: Keeping any up-to-date? Ciaran Deignan (Jan 15)
- Re: Keeping any up-to-date? Peter May (Jan 15)
- Administrivia Aleph One (Jan 12)
- Tracing by uid u after root does setuid(u) D. J. Bernstein (Jan 12)
- Re: Tracing by uid u after root does setuid(u) Wietse Venema (Jan 13)
- Re: Tracing by uid u after root does setuid(u) Casper Dik (Jan 13)
- Re: Tracing by uid u after root does setuid(u) James Mathiesen (Jan 15)
- Re: Tracing by uid u after root does setuid(u) Gene Spafford (Jan 13)
- Solaris 7 naming... Isaac (Jan 12)
- [(PM) PM3s Die - Comfirmed DoS Attack (fwd)] David TILLOY (Jan 13)
- Government report suggests backdoors for law enforcement Darren Reed (Jan 13)