On 13 May 2011 08:32, Jonathan McKeown <j.mcke...@ru.ac.za> wrote: > On Thursday 12 May 2011 17:26:49 Chris Telting wrote: > > On 05/12/2011 07:57, Jonathan McKeown wrote: > > > > > > I'll say that again. It is inherently insecure to run an interpreted > > > program set-uid, because the filename is opened twice and there's no > > > guarantee that someone hasn't changed the contents of the file > addressed > > > by that name between the first and second open. > > > > > > It's one thing to tell people they need to be careful with suid because > > > it has security implications. Deliberately introducing a well-known > > > security hole into the system would in my view be dangerous and wrong. > > > > That race condition bug was fixed in ancient times. Before Freebsd or > > Linux ever existed I believe. It's a meme that just won't die. People > > accepted mediocrity in old commercial versions of Unix. I personally am > > unsatisfied by kludges. > > That seems somewhat unlikely given, as someone else pointed out upthread, > that > Perl still comes with a compile-time option SETUID_SCRIPTS_ARE_SECURE_NOW, > suggesting that they often aren't. Yes, there are ways to avoid this race > condition - the usual one is to pass a handle on the open file to the > interpreter, rather than closing it and reopening it. > > This fix is not present in every Unix or Unix-like OS. In particular > (although > I'm happy to be corrected if I'm wrong) it's not present in FreeBSD, to the > best of my knowledge. Whether there's a reason for that other than lack of > developer time I don't know. > > Jonathan > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" >
what i cant understand is the complete aversion to sudo. Could you shed any light on why you are trying to avoid a tried and tested method. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"