Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!rex!samsung!zaphod.mps.ohio-state.edu!think.com!snorkelwacker.mit.edu!bloom-beacon!eru!hagbard!sunic!dkuug!daimi!protonen
From: protonen@daimi.aau.dk (Lars J|dal)
Newsgroups: comp.os.minix
Subject: Re: gak! yet another idiot beginner asking stupid stuff!
Message-ID: <1991May16.093136.11171@daimi.aau.dk>
Date: 16 May 91 09:31:36 GMT
References: <9852@star.cs.vu.nl> <9105102589@arrakis.nl.mugnet.org> <1991May13.124327.21919@nmrdc1.nmrdc.nnmc.navy.mil> <1991May14.202411.3372@nuchat.sccsi.com>
Sender: protonen@daimi.aau.dk (Lars J|dal)
Organization: DAIMI: Computer Science Department, Aarhus University, Denmark
Lines: 24

kevin@nuchat.sccsi.com (Kevin Brown) writes:
[...]
>The reason for all that is that the chown() system call requires root privs
>under Minix.  Under System V, it doesn't, but instead checks to see whether
>or not the owner of the file (or root) is trying to change the file's
>ownership.  On systems without disk quota, the approach taken by System V
>is the Right Answer (IMHO). But the System V approach leads to problems on 
>systems that implement disk quota (you want more space?  chown your files to 
>root! :-)...
[...]

Doesn't this approach give a security problem (whether or not you have
quotas)? As I see it, you could just make your brilliant hackerprogram
suid and then change the owner to root!
If the approach has been used in a real UNIX system, of course an obvious
problem like this would have been foreseen at implementation :-),
so I must be misunderstanding something. What?

+--------------------------------------------------------------------------+
|      Lars J|dal       |       (put your favourite quotation here)        |
| protonen@daimi.aau.dk |                                                  |
|--------------------------------------------------------------------------|
| Computer Science Department  -  Aarhus University  -  Aarhus  -  Denmark |
+--------------------------------------------------------------------------+