Guide to writing secure setuid programs?
Jeff Siegal
jbs at fenchurch.MIT.EDU
Mon Mar 14 10:51:01 AEST 1988
In article <7616 at oberon.USC.EDU> blarson at skat.usc.edu (Bob Larson) writes:
>In article <700 at virginia.acc.virginia.edu> scl at virginia.acc.Virginia.EDU (Steve Losen) writes:
>> [...]. I made the directory 777 instead of using
>> setuid-to-lp fraud. Sure a malicious user can remove files in the
>> print queue. So what?
>So what? It depends a lot on what you are printing. When someone
>modifies the batch of checks waiting to be printed or gives the
>confedintial information you were printing to a compeditor I doubt
>your boss wold say "So what?".
Setting the directory mode to 777 by itself doesn't let anyone modify
or read anything. All it allows people do is:
1. List the file names in the directory
2. Access files in the dirctory _according_to_their_modes.
3. Remove files from the directory.
#1 can be prevented, if necessary by setting the directory mode to 733
rather than 777. This effectively prevents #2 and #3 if you use
obscure file names. #2 can be absolutely prevented in any case by
setting the mode of each file in the directory appropriately. #3 can
be absolutely prevented on BSD 4.3 systems by setting the sticky bit
(mode 1733) on the directory.
The security risk is minimal, since all that can be done is removing
the files, not reading or writing them. Even this can be effectively
prevented by using the messures described above.
Jeff Siegal
More information about the Comp.bugs.sys5
mailing list