On Wed, Jun 20, 2001 at 12:02:47AM -0600, Hubert Chan wrote:
> be SUID, you're safer without it being SUID). Is there any (sane) way
> of making it so that programs such as passwd, chsh, etc. don't need to
> be SUID?
Not really. Not if you want to ensure that any of the data they can alter
passes sanity checks despite a malicious user, which is a case you certainly
have to allow for. Putting the password into a file that the user owns also
allows a careless user to make it world-readable (or even writeable, eh?).
Nope. SUID programs are a security risk because they offer interesting
power to those who can subvert them, but they are also the way Unix systems
extend restricted access to protected resources to non-root users. Rather
than trying to eliminate them, which is almost certainly impossible without
adding something comparable to ACLs and a raft of systemic changes (to
segregate what are now fields in one record to be in separate, hence
separately access-controlled files, for example), we might want to consider
whether they could instead be implemented in a way that made them much less
likely to be exploitable. The C language is a wonderful thing, but it
offers many subtle ways to err.
--
Truth in advertising is like leaven, which a woman hid in three
measures of meal. It provides a suitable quantity of gas, with
which to blow out a mass of crude misrepresentations into a form
that the public can swallow. - Dorothy Sayers, _Murder Must Advertise_
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
