Re: [Full-Disclosure] Partial Solution to SUID Problems

[Henning Brauer <hb-fulldisclosure@bsws.de>]

On Sun, Dec 07, 2003 at 03:48:03PM +0100, Markus Friedl wrote:
> > On a server that you have shell access, you probably really need to add
> > 'passwd' to the 'suid partitiion'.  You may need some other things,
> > on some of our servers, I have 'ping' as well.
> it's not really necessary to have passwd setuid.  

actually, I wasn't so much after passwd, this was just an example. the 
same rule applies for all more or less shared ressources where the 
individual users needs write access to under special constraints, but 
not generally - like with passwd, normal users should not have write 
access in general, but need for changing their passwords, thus a 
setuid passwd. This case can be worked around, others probably too, 
some probably not. the point was that a setuid or setgid binary in 
this case increases security over having write access for everyone.
same rules apply for ressources where the ordinary user must not have 
read access except for the special cases.

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@bsws.de - henning@openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html