Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!wuarchive!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!emory!mephisto!prism!gt0178a
From: gt0178a@prism.gatech.EDU (BURNS,JIM)
Newsgroups: comp.unix.internals
Subject: Re: SunOS and shared libraries, security aspects
Message-ID: <13283@hydra.gatech.EDU>
Date: 3 Sep 90 01:43:32 GMT
References: <4006@auspex.auspex.com>
Distribution: usa
Organization: Georgia Institute of Technology
Lines: 23

in article <4006@auspex.auspex.com>, guy@auspex.auspex.com (Guy Harris) says:

>>Rather, it's to make login non-setuid in the first place. The only time
>>login should run as root is from a controlled daemon, such as telnetd or
>>getty.

> I've no problem with that

Excuse me, but I don't understand how login (su, rsh, rlogin) would be
able to change your uid without using setuid(3) which is documented as
needing superuser status:

NAME
     setuid, seteuid, setruid, setgid, setegid, setrgid - set
     user and group ID
[...]
     These calls are only permitted to the super-user or if the
     argument is the real or effective ID.
-- 
BURNS,JIM
Georgia Institute of Technology, Box 30178, Atlanta Georgia, 30332
uucp:	  ...!{decvax,hplabs,ncar,purdue,rutgers}!gatech!prism!gt0178a
Internet: gt0178a@prism.gatech.edu