Chris Berry writes:
Isnt' setuid usually a "bad thing" as it opens up all kinds of security holes? (though from what I hear PHP isn't exactly real secure either)
[EMAIL PROTECTED] httpd]# ls -l /bin/ping -rwsr-xr-x 1 root root 35302 Jun 23 2002 /bin/ping
Quick -- get rid of 'ping'. It's a major security hole.
Don't forget that for a short time, it seemed likely that it was: http://rhn.redhat.com/errata/RHSA-2000-087.html
I know several admins who disable the SUID on ping (among many other apps) simply because non-root users don't need to ping from the boxes they run, and the SUID may not be safe. Also, ptrace() race conditions may be able to use just about any SUID app as the method for a local exploit.
Not to detract from your point... SUID isn't, itself, a "bad thing". Just that sometimes the paranoid are right, too.
-------------------------------------------------------
This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
