Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!ccut!titcca!cc.titech.ac.jp!necom830!mohta
From: mohta@necom830.cc.titech.ac.jp (Masataka Ohta)
Newsgroups: comp.unix.internals
Subject: Complex security mechanism is unsecure (was Re: non-superuser chown(2)s considered harmful)
Message-ID: <6874@titcce.cc.titech.ac.jp>
Date: 11 Dec 90 13:17:20 GMT
References: <1990Dec6.005358.6336@dg-rtp.dg.com> <109958@convex.convex.com> <18786@rpp386.cactus.org> <1990Dec7.171501.18028@mp.cs.niu.edu> <18792@rpp386.cactus.org>
Sender: news@cc.titech.ac.jp
Organization: Tokyo Institute of Technology
Lines: 25

In article <18792@rpp386.cactus.org>
	jfh@rpp386.cactus.org (John F Haugh II) writes:

>The result of making a system call "root-only" is that any application
>which might have a legitimate need to execute that function must be
>set-uid to root in order to perform that now privileged operation.

In general, making some application set-uid to root is more secure
                                                       ^^^^
than making it set-uid to, say, uucp.

In the latter case, you must be careful that no unauthorized person can
have uucp nor root priviledge. If you have an executable owned by uucp
in root's command serach path (like /usr/bin/tip), those who have uucp
priviledge can easily set a trojan horse trap.

>Unfortunately, if you have an application that
>wants to change the ownership to the user, such as cu, you must now
>make cu set-UID to "root".

But it is more secure.

So, don't make the security mechanism complex. The simpler, the more secure.

						Masataka Ohta