Guide to writing secure setuid programs?

[John Chambers]

> A much better approach would be to have a pseudo-user for for whatever
> facility you were creating, and a _short_, _auditable_ setuid program,
> without shell escapes and other similar nonsense, to deposit things in
> the spool directory.  

A program that does exactly this was posted to one of the sources group
a couple of years back, under the name "append.c".  Perhaps it's time
to post it again.  Or is it archived in one or the source newsgroups?

It was also a Unix implementation of a Multics security feature.  It's
also a good counter-example to the frequent claims that all setuid programs
are Bad Things.

-- 
John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)