Complex security mechanism is unsecure (was Re: non-superuser chown(2)s considered harmful)
Masataka Ohta
mohta at necom830.cc.titech.ac.jp
Wed Dec 12 00:17:20 AEST 1990
In article <18792 at rpp386.cactus.org>
jfh at rpp386.cactus.org (John F Haugh II) writes:
>The result of making a system call "root-only" is that any application
>which might have a legitimate need to execute that function must be
>set-uid to root in order to perform that now privileged operation.
In general, making some application set-uid to root is more secure
^^^^
than making it set-uid to, say, uucp.
In the latter case, you must be careful that no unauthorized person can
have uucp nor root priviledge. If you have an executable owned by uucp
in root's command serach path (like /usr/bin/tip), those who have uucp
priviledge can easily set a trojan horse trap.
>Unfortunately, if you have an application that
>wants to change the ownership to the user, such as cu, you must now
>make cu set-UID to "root".
But it is more secure.
So, don't make the security mechanism complex. The simpler, the more secure.
Masataka Ohta
More information about the Comp.unix.internals
mailing list