Bugtraq mailing list archives
Re: system() call in suid programs
From: max () gac edu (Max Hailperin)
Date: Fri, 14 Jun 1996 14:24:39 -0500
Date: Fri, 14 Jun 1996 12:31:53 -0400 From: Valdis.Kletnieks () vt edu The worst part is that coding the fork/exec *yourself* takes only 5-6 lines more, and you can shut down almost all of these attacks. All though I more-or-less agree, it takes a significant enough amount of work to shut them all down, and is easy enough to screw up, that there is no point in not packaging up once and for all the code for doing this into a library and then using that, rather than over and over coding those 5-6 lines (or whatever it really is) by hand. Sure enough, this has been done, namely by Matt Bishop in his msystem library. I endorse the approach he took (packaging the code into a library) more than necessarily endorsing (or speaking against) his specific implementation -- I haven't done a careful security audit on it to allow me to do that. However, the great thing about source code distribution is that not only can you check his code, but also if you find a bug in it, you can fix it! So why not take whatever energy you'd put into crafting your own N+1st solution to the system(3) and popen(3) problem and instead devote it to improving msystem (if it needs it)? -Max Hailperin Assistant Professor of Computer Science Gustavus Adolphus College 800 W. College Ave. St. Peter, MN 56082 USA
Current thread:
- [linux-security] Big security hole in kerneld's request_route Igor Chudov @ home (Jun 13)
- system() call in suid programs Not Joe (Jan 03)
- Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
- Re: system() call in suid programs Max Hailperin (Jun 14)
- Publically writable directories Thomas Koenig (Jun 16)
- Re: Publically writable directories Neil Soveran-Charley (Jun 16)
- Re: Publically writable directories Brian Mitchell (Jun 17)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: Publically writable directories Bill Pemberton (Jun 18)
- Re: Publically writable directories Thomas Koenig (Jun 18)
- Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
- system() call in suid programs Not Joe (Jan 03)
- Re: Publically writable directories Bill Pemberton (Jun 17)
- Re: Publically writable directories David DeSimone (Jun 17)
- Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)
- Re: Publically writable directories Michael Dilger (Jun 17)