Path: utzoo!attcan!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!pt.cs.cmu.edu!rochester!udel!princeton!phoenix!subbarao From: subbarao@phoenix.Princeton.EDU (Kartik Subbarao) Newsgroups: comp.unix.questions Subject: Re: Setuid programs Keywords: suid Message-ID: <14644@phoenix.Princeton.EDU> Date: 17 Mar 90 19:29:25 GMT References: <1990Mar16.224120.24013@aucs.uucp> Reply-To: subbarao@phoenix.Princeton.EDU (Kartik Subbarao) Lines: 28 In article <1990Mar16.224120.24013@aucs.uucp> 852028e@aucs.UUCP (Amari M. Elammari) writes: > >Does anybody know about any good references for: > > - How to write a setuid programs. > - What are the security problems with suid programs. > - Anything about suid programs... > a) Writing a SUID program is no different from writing a normal program. The only difference is upon execution, the program will run as your userid (i.e. have all privileges that you do). For example, if you wanted to write a game, and wanted users to only have access to the high score list when they played the game, you could make the game SUID to you, and simply write to the file during the game. Also, /bin/su and other programs are setuid to root, for need of permission. As to the mechanics of CREATING a suid program, just do chmod u+s to give set user id, and chmod g+s to give set group id. (Thats 4xxx and 2xxx for you octal fans.) b) Security Questions - Quite a lot! You can perhaps think of many, as your program has all of your privileges while being run. Please refer to Kochan and Wood for more details as to how to design leak-proof setuid programs. -Kartik -- subbarao@{phoenix,bogey or gauguin}.princeton.edu - Internet subbarao@pucc.princeton.edu - Bitnet