Re: Setting the UID & GID

Mon, 12 Mar 2001 07:14:22 -0500 

 From a security point of view there are a lot of instances that setuid is 
a bad idea. There have been quite a bit of exploits found in such binaries 
that are setuid. Just doing a
find / -perm 4000 will turn up a whole plethora of binaries that may be 
hidden away just waiting for exploit.

this is an excerpt from a security paper:

Setuid Programs

      Don't write setuid shell scripts
      Don't use library routines that invoke a shell
      Don't use the execlp or execvp library routines
      Use full path names to identify files
      Don't setuid to root unless you need to
      Don't make setuid programs world-readable
      Don't put back-door escapes in your code

Finding Setuid Programs

Regularly compare the output of the following script to spot clandestine 
setuid programs.

/usr/bin/find / -user root -perm -4000 -print

At 07:07 PM 3/11/01 -0800, Vince McHugh wrote:
>Hi All,
>
>   I am hoping to generate some discusion on setting
>the UID and/or the GID on a file. I've been learning
>about it in a class and would like to hear some "real
>world" application of this. I would also be interested
>in security issues or concerns when using this. Thanks
>in advance.
>                            Regards,
>                         Vince McHugh
>                      Systems Support Manager
>                          NECS\Canon
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Auctions - Buy the things you want at great prices.
>http://auctions.yahoo.com/
>
>**********************************************************
>To unsubscribe from this list, send mail to
>[EMAIL PROTECTED] with the following text in the
>*body* (*not* the subject line) of the letter:
>unsubscribe gnhlug
>**********************************************************

T. Warfield     
[EMAIL PROTECTED]
http://members.xoom.com/pennacook/
--------------------------------------------------------------------------
"...sometimes dreams are wiser than waking..."
  -- Black Elk
---------------------------------------------------------------------------

**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************

Reply via email to