On the Correctness of Set-User-ID programs
utzoo!decvax!ucbvax!unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Tue Aug 25 19:25:28 AEST 1981
>From Eps at UCLA-SECURITY Mon Aug 24 17:06:31 1981
Random comments:
Locking: As I recall, passwd(1) links /etc/passwd to /etc/ptmp as
a lock in V7 Unix.
General: Unix/TS and its derivatives set the uid in the proc
table from RUID, so a user can kill(1) a SUID program.
Unix-V7: as for /tmp being writable, I've seen quite a few
Unix systems that have the following lines in /etc/rc:
cd /tmp
rm -f *
Needless to say, PATH was set to something like ":/bin:/usr/bin:/etc"
Unix-V7: cithep's solution to the at(run) problem is to create
the files in /usr/spool/at with mode 6744. atrun will refuse
to run a file without both SUID and SGID. This is especially
important since the owner of a file (as well as the superuser)
can chown(chgrp) files (although set bits get reset if the
user isn't super and the uid/gid don't match the euid/egid) on
that system. This way at(1) is left unprivileged, and
/usr/spool/at is left writable.
I've found that set-gid is sufficient for most "magic" programs,
and that set-uid-root is only needed when the full capabilities
of the Superuser are essential. The authors also failed to
mention the tremendously useful access(2) call, which is not
easily �available to SUID shell scripts. access() is fairly
cheap insurance when checking permissions on an existing file,
it does get a little trickier when you want to see if you can
"safely" do a creat() call on behalf of the RUID. One of
the things I've found annoying is that there is no way to
"temporarily disable your privileges"--you can only throw
them away. This case crops up when a set-uid-not-root
program needs to open a file that only the RUID can. One
possible solution to this problem might be the addition of
xchuid() and xchgid() calls, to swap Rs and Es. Comments?
--Eric
-------
More information about the Comp.unix.wizards
mailing list