Guide to writing secure setuid programs?
Bob Larson
blarson at skat.usc.edu
Mon Mar 14 09:41:53 AEST 1988
In article <700 at virginia.acc.virginia.edu> scl at virginia.acc.Virginia.EDU (Steve Losen) writes:
>2) Avoid setuid if you can. I once wrote a very simple print spooler
> that puts files in a directory where they are picked up periodically
> by a daemon to be printed. I made the directory 777 instead of using
> setuid-to-lp fraud. Sure a malicious user can remove files in the
> print queue. So what?
So what? It depends a lot on what you are printing. When someone
modifies the batch of checks waiting to be printed or gives the
confedintial information you were printing to a compeditor I doubt
your boss wold say "So what?".
--
Bob Larson Arpa: Blarson at Ecla.Usc.Edu blarson at skat.usc.edu
Uucp: {sdcrdcf,cit-vax}!oberon!skat!blarson
Prime mailing list: info-prime-request%fns1 at ecla.usc.edu
oberon!fns1!info-prime-request
More information about the Comp.unix.wizards
mailing list