UNIX commands in C
Leslie Mikesell
les at chinet.chi.il.us
Sat May 11 13:40:15 AEST 1991
In article <azXkYHbe/UUYI at idunno.Princeton.EDU> subbarao at phoenix.Princeton.EDU (Kartik Subbarao) writes:
>Ha! Using system() in any setuid program itself, regardless of how you invoke
>the program, leaves a major security hole.
In what way is doing a fork() and having the child do a setuid(getuid())
before the system() call any less secure than it would be if the program
were not setuid? Some unix versions offer less drastic ways to do it,
but that way should work even from a setuid root program under SysV.
Les Mikesell
les at chinet.chi.il.us
More information about the Comp.lang.c
mailing list