Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!qt.cs.utexas.edu!cs.utexas.edu!asuvax!ncar!hsdndev!cmcl2!uupsi!sunic!enea!u30003!tomas
From: tomas@u30003.rsv.svskt.se (Tomas Ruden)
Newsgroups: comp.unix.admin
Subject: Re: Running random user programs as ROOT?!
Message-ID: <1991Jun28.111731.14389@u30003.rsv.svskt.se>
Date: 28 Jun 91 11:17:31 GMT
References: <70@pyuxf.UUCP> <1991Jun21.233414.10848@gpu.utcs.utoronto.ca> <867@minya.UUCP>
Organization: Swedish Tax Administration
Lines: 31

In article <867@minya.UUCP> jc@minya.UUCP (John Chambers) writes:
>> I  hope  not.   Su  sets  *real*  and  effective   user   ID.    The
>> saved-set-user-ID  should  be wiped out by the su program when SUing
>> to the user's account.  Otherwise SU is *horribly* broken.
>
>OK, so if I wanted to write a version  of  su  that  wasn't  "horribly
>broken",  how  would  I  do  it?   I've  dug  around in TFM on several
>occasions, trying to make sense of the saved-set-user-ID  concept,  to
>little  avail.   They  seem to think that they should keep it a secret
>from me, because if I'm interested, I am obviously an Evil Hacker  who
>is trying to violate system security.
>
>So  far,  I  haven't seen any documented system call to set this third
>uid that some Unix kernels keep. If there's no (documented) way to set
>it,  how  can  you  accuse  a program of being "horribly broken" if it
>doesn't set it correctly?

Talking HP-UX, based on BSD Unix, the saved-user-ID is set to the
effective-user-ID when the process preformes an exec.

I think, but I'm not sure, that saved-user-ID isn't supported in AT&T V.3.

>-- 
>All opinions Copyright (c) 1991 by John Chambers.  Inquire for licensing at:
>Home: 1-617-484-6393 ...!{bu.edu,harvard.edu,ima.com,eddie.mit.edu,ora.com}!minya!jc 
>Work: 1-508-486-5475 {sppip7.lkg.dec.com!jc,ub40::jc}

-- 
Tomas Ruden, tomas@u30003.rsv.svskt.se
Don't blame the Swedish Tax      !  I wish I had an English
Administration for my opinions   !  spellingchecker