Full Disclosure mailing list archives
Re: Partial Solution to SUID Problems
From: psz () maths usyd edu au (Paul Szabo)
Date: Sat, 6 Dec 2003 21:42:48 +1100 (EST)
Todd Burroughs <todd () hostopia com> wrote:
If, by "messing up with them", you mean "turning off the suid bit", that cannot decrease security. If they think otherwise, they do not know what they talk about. Any program that is suid or sgid can either do nothing for or decrease your security. I cannot think of any possible way that keeping suid/sgid could increase your security. There are some exceptions if you want to give people partial root access, like 'sudo'.
Sorry, but I have a counter-example (and admit that I was bitten by it): pt_chown (or chgpt or slvmod or whatever). Some OSs use something like that to chown or chmod the pty they just allocated. Turning the suid bit off prevents your pty from being owned by you so you cannot set safe permissions, and are vulnerable to "echo badcommand > yourpty". Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Partial Solution to SUID Problems, (continued)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)
- Re: Partial Solution to SUID Problems Michal Zalewski (Dec 06)
- Re: Partial Solution to SUID Problems Valdis . Kletnieks (Dec 06)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 07)
- Re: Partial Solution to SUID Problems Karl DeBisschop (Dec 07)
- Re: Partial Solution to SUID Problems Michal Zalewski (Dec 07)
- Re: Partial Solution to SUID Problems Valdis . Kletnieks (Dec 06)
- Re: Partial Solution to SUID Problems Markus Friedl (Dec 07)
- Re: Partial Solution to SUID Problems Brian Hatch (Dec 07)
- Re: Partial Solution to SUID Problems Henning Brauer (Dec 08)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)
- Re: Partial Solution to SUID Problems Michal Zalewski (Dec 06)