setuid cleared on write
utzoo!decvax!pur-ee!bruner
utzoo!decvax!pur-ee!bruner
Fri Sep 11 11:06:07 AEST 1981
I don't, in general, like systems that "hold my hand" either. I
personally don't like having setuid/setgid cleared when a file is
written under any circumstances. However, in a university environment
with over two thousand undergraduate accounts, some provisions must
be made for the novice user. I'm not concerned that a system staff
member will leave a setuid root file world writable. However, I have
seen students create mode 4777 files (even though the umask is 022)
so that their friends can use their accounts. A malicious user will
usually wreak havoc using an account other than his own (to avoid
detection). It is necessary, in this environment, to protect novice
users from themselves. Given this assumption, I was suggesting a
solution which preserves as much flexibility as possible.
System crashers have incredible amounts of time to go searching for
writable setuid files or to try out every possible way to crash a
setuid program. (For that reason, I suggest that we either don't
bring up security topics in "unix-wizards", or we specify exactly
what the problem is when a security "hole" is detected. If a "hacker"
and a system staff member read the same "news" entry hinting at a
security hole, it will probably be the hacker who figures it out
first because he's got "all of the time in the world". Note also that
inter-machine mail isn't secure because the files are world-readable,
so private correspondence about security problems should be done by
some other means.) I don't like solutions which restrict access
or flexibility, and I certainly don't like hacks in the kernel,
but in cases like this one I can see no alternative.
--John
More information about the Comp.unix.wizards
mailing list