Bugtraq mailing list archives
Re: Wiping out setuid programs
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Thu, 7 Jan 1999 07:22:48 +1100
In some mail from D. J. Bernstein, sie said:
This is a continuation of the ``Why you should avoid world-writable directories'' thread. Why do we create setuid programs? Because we need to let users access particular files in restricted ways. Some traditional examples:
[...]
In every case the file access could be moved to a non-setuid daemon that accepts UNIX-domain connections from unprivileged user programs. This would wipe out a huge number of local security holes. However, in most cases, the daemon needs to know who it's talking to, for access control or for accounting. That's why I want a getpeeruid() routine returning the uid that called connect().
[...]
Anyway, I've set up a web page discussing various IPC mechanisms from the writing-daemons-that-manage-restricted-files point of view: http://pobox.com/~djb/docs/secureipc.html Please let me know if you have any updates.
Some of the free unix teams already have designs on how to remove setuid and setgid from executables using `this' feature. As with all work done in this community, progress is regulated by people's available time and other projects in progress - which I'm sure you can understand. Given that it originated in the commercial sector (BSDI) (I believe), it is reasonable to suspeect they've made some progress on this front also. Darren
Current thread:
- Tripwire mess.. CyberPsychotic (Jan 04)
- Re: [SECURITY] New versions of netstd fixes buffer overflows Chip Salzenberg (Jan 04)
- Re: [SECURITY] New versions of netstd fixes buffer overflows Wichert Akkerman (Jan 05)
- Wiping out setuid programs D. J. Bernstein (Jan 05)
- Re: Wiping out setuid programs Darren Reed (Jan 06)
- Re: Wiping out setuid programs Illuminatus Primus (Jan 06)
- Re: Wiping out setuid programs Thamer Al-Herbish (Jan 06)
- Checking for most recent Solaris Security Patches spamhater () GRYMOIRE COM (Jan 06)
- Re: Checking for most recent Solaris Security Patches Ronan Waide (Jan 07)
- NFR Version 2.0.2 Research Now Available Deborah A. Greenberg (Jan 07)
- Re: Checking for most recent Solaris Security Patches Paul Brunk (Jan 08)
- Re: Checking for most recent Solaris Security Patches John D Groenveld (Jan 08)
- Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 12)
- Re: Checking for most recent Solaris Security Patches Linux Mailing Lists (Jan 13)
- Re: Checking for most recent Solaris Security Patches Jon Ross (Jan 15)
- Re: [SECURITY] New versions of netstd fixes buffer overflows Chip Salzenberg (Jan 04)