[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Partial Solution to SUID Problems

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Partial Solution to SUID Problems
From: Henning Brauer <hb-fulldisclosure@bsws.de>
Date: Sat, 6 Dec 2003 13:19:40 +0100

On Sat, Dec 06, 2003 at 02:53:58AM -0500, Todd Burroughs wrote:
> If, by "messing up with them", you mean "turning off the suid bit", that
> cannot decrease security.  If they think otherwise, they do not know
> what they talk about.  Any program that is suid or sgid can either do
> nothing for or decrease your security.  I cannot think of any possible
> way that keeping suid/sgid could increase your security.  There are some
> exceptions if you want to give people partial root access, like 'sudo'.

please explain how a user should be able to change his password 
without a setuid passwd. write access to /etc/spwd.db and pwd.db for 
everybody...?

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@bsws.de - henning@openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Todd Burroughs <todd@hostopia.com>

References:
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Ciro <domino@asgardnet.org>
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Todd Burroughs <todd@hostopia.com>

Prev by Date: Re: [Full-Disclosure] Partial Solution to SUID Problems
Next by Date: Re: [Full-Disclosure] Partial Solution to SUID Problems
Previous by thread: Re: [Full-Disclosure] Partial Solution to SUID Problems
Next by thread: Re: [Full-Disclosure] Partial Solution to SUID Problems
Index(es):
- Date
- Thread