Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Partial Solution to SUID Problems

From: Henning Brauer <hb-fulldisclosure () bsws de>
Date: Sat, 6 Dec 2003 13:19:40 +0100
On Sat, Dec 06, 2003 at 02:53:58AM -0500, Todd Burroughs wrote:

If, by "messing up with them", you mean "turning off the suid bit", that
cannot decrease security.  If they think otherwise, they do not know
what they talk about.  Any program that is suid or sgid can either do
nothing for or decrease your security.  I cannot think of any possible
way that keeping suid/sgid could increase your security.  There are some
exceptions if you want to give people partial root access, like 'sudo'.


please explain how a user should be able to change his password 
without a setuid passwd. write access to /etc/spwd.db and pwd.db for 
everybody...?

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb () bsws de - henning () openbsd org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: