On Mon, Nov 19, 2018 at 09:55:07AM +0100, Christoph Pleger wrote: > My program calls getpwuid() with the real user id of the calling user > and then compares this user's name with the name of the one and only > user who is allowed to continue program execution. Do you think that > this can be circumvented?
I'll just repeat - don't write your own setuid programs if you care about security. Here's an old paper that lists some (and certainly not all!) of the things people who do write them have to understand: http://man7.org/conf/lca2010/writing_secure_privileged_programs.pdf It only takes one mistake or one thing you didn't know about or understand properly to make your system insecure. Alasdair _______________________________________________ linux-lvm mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
