Guide to writing secure setuid programs?
Patrick Barron
pdb at sei.cmu.edu
Sat Mar 19 03:32:51 AEST 1988
In article <127 at heart-of-gold> jc at heart-of-gold (John M Chambers x7780 1E342) writes:
>Lest people think I am being facetious, I'd like to point out that there
>is an important point at work here. When writing a program, I don't know
>whether it will be setuid. So how can I follow the above advice? (Obviously,
>by not writing any programs! :-) When I write a line of code, how do I
>determine whether it is in a setuid program?
On the contrary, normally when one writes a program that is going to
have the set-uid bit set, one knows that for a fact before starting. Taking
random programs that you know little or nothing about, and making them
set-uid, is an exceptionally bad idea.
>Can anyone show me the source for setuid()? I suspect that you can't,
No, I can't show you the source for setuid(), but only because my Ultrix
license agreement prohibits it.... :-) Seriously, there really is a setuid()
system call. It doesn't do what you want, though.
--Pat.
More information about the Comp.unix.wizards
mailing list