On the Correctness of Set-User-ID programs
utzoo!decvax!ucbvax!unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Wed Aug 26 21:14:19 AEST 1981
>From MathStat.jmrubin at Berkeley Wed Aug 26 21:09:58 1981
One trouble with JNC at MIT-XX's suggestion on setgid programs
is that the group security has not been as well thought out on Unix
as the individual security. Many programs, which are made setgid,
provide ways to fork shells, without resetting the gid. Moreover,
if you can get ahold of a file which belongs to you but is in a
given group (say a core dump) you can, on many Unix systems,
put a setgid program to fork a shell in that file.
One more advantage of being setuid to root is that root can chown
and chgrp files-so a program can create a file which will belong to a
user. It occurs to me that if mkdir were setgid, then all
subdirectories which one created would be owned by the group of mkdir.
Thus, no one would be able to limit access to a subdirectory to
members of their own group without going to a super-user and asking
to give that group the directory.
More information about the Comp.unix.wizards
mailing list