Quoth guy keren on Sat, Jul 22, 2000:
> the way you describe this - you ight as well give those users the root
> password, as your little program can be quite trivially fooled into
> running any code the user wants to. in general, one should NOT write suid
> programs without proper security checking.
True.
> just as an example, one could
> use the LD_PRELOAD environment variable in order to load a library that
> defines 'system' as a function that simply spawns a shell and attaches its
> prompt to the user's terminal.
In sane systems (which, in this case, I believe, include Linux)
LD_PRELOAD and LD_LIBRARY_PATH are not used when running setuid
or setgid binaries. This is to allow such binaries to be
dynamically linked without opening too many security holes.
> no, sudo is better here.
Agreed. Why develop a special application when you have general
ones?
Vadik.
--
Real software engineers don't debug programs, they verify correctness.
This process doesn't necessarily involve execution of anything on a
computer, except perhaps a Correctness Verification Aid package.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
