Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site qubix.UUCP
Path: utzoo!linus!security!genrad!decvax!decwrl!sun!qubix!msc
From: msc@qubix.UUCP (Mark Callow)
Newsgroups: net.unix-wizards
Subject: Access rights for suid programs.
Message-ID: <716@qubix.UUCP>
Date: Sun, 18-Dec-83 18:33:26 EST
Article-I.D.: qubix.716
Posted: Sun Dec 18 18:33:26 1983
Date-Received: Tue, 20-Dec-83 00:27:39 EST
Organization: Qubix Graphic Systems, Saratoga, CA
Lines: 24

Almost every suid program has problems with having the correct
access rights at the right time during the program.  For example
uucp cannot read your files if they have mode 640 because it runs
suid uucp.

Another example is tip which, although making an effort
to get it right, still has problems.  If your /usr/spool/uucp has
mode 755 tip cannot remove the lock file it creates there because,
after it creates, it it changes back to the real uid so that it can
read your files etc.

All these problems come down to not having the correct 1 of 
2 sets of access permissions at a given time.  There seems to be
a very simple solution.  Give suid programs the access permissions
of both the real and effective id's AT THE SAME TIME.

This seems so blindingly obvious that there must be some fatal flaw
in the idea since I've never seen it mentioned before.  I'm interested
in anyone's comments on this idea. I'd be especially interested in
Dennis Ritchie's comments as the holder of the patent on the suid scheme.
-- 
From the Tardis of Mark Callow
msc@qubix.UUCP,  decwrl!qubix!msc@Berkeley.ARPA
...{decvax,ucbvax,ihnp4}!decwrl!qubix!msc, ...{ittvax,amd70}!qubix!msc