Re: /etc/utmp

[mengel () dcdmwm fnal gov (Marc W. Mengel)]

In <9403281947.AA24016@coronado>  you write:
  >>>>> "ches" == ches  <ches () research att com> writes:

  ches> In <9403252218.AA14294 () rwing UUCP> you write: I don't know of a
  ches> specific patch, for this.  But the only REAL fix is to make the
  ches> /etc/utmp file so it is not world-writeable.  That means, of
  ches> course, fixing anything that must update it, other than login or
  ches> init to run SUID root without creating a worse hole.

  ches> To quote our President: "NO NO NO NO NO NO NO ..." :-)

  ches> Making things setuid root is almost always wrong.  Make a new
  ches> group, say group "utmp", and make anything that needs to deal
  ches> with utmp


  what if a file has to be group "utmp" and.... for some stupid
  reason... anther gid?

  The one thing that gets me about UNIX file perms is that a single file
  can't be in multiple groups.

  Scott
  ps: ARE there are cases of this? where something needs to be in line
  utmp and another group?


I think the situation is pretty rare; but if it needs to do things with 
two sets of permissions, have it run two children, one with permission 
to do one thing, and a second with permission to do the other; talk to
'em with pipes or some such.

Next, you can go halfway, make the program setuid, have it initally
add 2 or 3 group id's, and then setuid itself back to the user, before
doing *anything* else.  That way there's little or no chance of the
user being able to break your code and make you do anything dangerous
while you're still root.  After all, it's pretty hard to make

        main(int argc,char **argv) {
                static int mygroups[] = {2,5,7};

                setgroups(3, mygroups);
                setuid(getuid());

                /* now actually do work */
        }

do anything while it's still root except maybe drop core.