Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!cbatt!ihnp4!houxm!hropus!jrw From: jrw@hropus.UUCP (Jim Webb) Newsgroups: net.unix-wizards Subject: Re: Which commands (in /bin & /usr/bin) must have set user ID (for root) Message-ID: <743@hropus.UUCP> Date: Mon, 20-Oct-86 13:07:25 EDT Article-I.D.: hropus.743 Posted: Mon Oct 20 13:07:25 1986 Date-Received: Tue, 21-Oct-86 06:46:09 EDT References: <115@tijc02.UUCP> <735@hropus.UUCP> <1040@ho95e.UUCP> Organization: Bell Labs, Holmdel, NJ Lines: 39 This is not the beginning of a shouting match... > What surprised me about the list Jim replied with was that most of the > commands > were -rws......! Why should a setuid command *ever* be writeable? - it's just > *inviting* attempts to find a bug and convince the command to write > over itself. First off, root can overwrite any file regardless of perms, yes/no? Second, ever see "error: text busy" ? You cannot remove or write over a file that is running somewhere on the system (or, to be picky, has the sticky bit set and has been run) > Are there any commands that actually depend on this? Self modifying code, perhaps :-) > >-rwsr-xr-x 1 root sys 47197 Oct 20 1985 at > >-rwsr-xr-x 1 root sys 25093 Nov 5 1983 crontab > >at needs to talk to cron in a very specific manner. > I would expect you could write a good cron without setuid, > since /etc/cron runs > as root? Likewise "at", since it's the other side of cron? at and crontab need to yell down /usr/lib/cron/FIFO to talk with cron. I suppose you could make these commands setgid to some unique group and make this pipe writable only by that group. > What irks me more, though, is that the "lp" commands all run setuid-lp > setgid-bin; this means that in a directory which lp can't access ( e.g. 700), > lp foo > fails, though > lp