should Unix refuse to execute writable binaries?

[Dick Dunn]

ernest at pegasus.dsg.tandem.com (Ernest Hua) writes:
> Should the Unix kernel refuse to execute binaries (or scripts) that are ...
>     1.  setuid-ed plus group and/or world writable?
>     2.  setgid-ed plus world writable?

I see two levels at which the answer ought to be "no".
1.  The pedantic rote answer is "no, because the kernel isn't supposed to
    be in the business of making [that sort of] policy decision."
2.  A practical answer is "no, because the situation is more complicated
    than that."  The restrictions required to keep the least experienced
    users from hurting themselves may be more than the most experienced
    users want to put up with.

As an example, I had for some time a root-owned 4777 executable, quite
intentionally.  It was useful because it was a program I was frequently
rebuilding and testing, on my own workstation.  Having it globally writable
allowed the make to toss the executable where I wanted it, ready to run
without the su/chown/chmod, and without killing the make the next time
around if I forgot to move the file or change it back.  The machine is only
accessible to a few people, and even beyond that the file was within a 700
directory of mine.

Depending on administrative domains and policies, you can probably come up
with reasonable uses for group-writable setuid--just assume that the
members of the group have to trust one another and/or the result uid is a
pseudo-user representing the group.
-- 
Dick Dunn     rcd at ico.isc.com -or- ico!rcd       Boulder, CO   (303)449-2870
   ...But is it art?