Xref: utzoo comp.unix.wizards:7038 comp.bugs.sys5:368
Path: utzoo!mnetor!uunet!husc6!hao!ames!ll-xn!mit-eddie!fenchurch.mit.edu!jbs
From: jbs@fenchurch.MIT.EDU (Jeff Siegal)
Newsgroups: comp.unix.wizards,comp.bugs.sys5
Subject: Re: Guide to writing secure setuid programs?
Message-ID: <8468@eddie.MIT.EDU>
Date: 14 Mar 88 00:51:01 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <1037@woton.UUCP> <700@virginia.acc.virginia.edu> <7616@oberon.USC.EDU>
Sender: uucp@eddie.MIT.EDU
Reply-To: jbs@eddie.MIT.EDU (Jeff Siegal)
Organization: MIT EE/CS Computer Facilities, Cambridge, MA
Lines: 29

In article <7616@oberon.USC.EDU> blarson@skat.usc.edu (Bob Larson) writes:
>In article <700@virginia.acc.virginia.edu> scl@virginia.acc.Virginia.EDU (Steve Losen) writes:
>>	[...].  I made the directory 777 instead of using
>>	setuid-to-lp fraud.  Sure a malicious user can remove files in the
>>	print queue. So what?
>So what?  It depends a lot on what you are printing.  When someone
>modifies the batch of checks waiting to be printed or gives the
>confedintial information you were printing to a compeditor I doubt
>your boss wold say "So what?".

Setting the directory mode to 777 by itself doesn't let anyone modify
or read anything.  All it allows people do is:

	1. List the file names in the directory
	2. Access files in the dirctory _according_to_their_modes.
	3. Remove files from the directory.

#1 can be prevented, if necessary by setting the directory mode to 733
rather than 777.  This effectively prevents #2 and #3 if you use
obscure file names.  #2 can be absolutely prevented in any case by
setting the mode of each file in the directory appropriately.  #3 can
be absolutely prevented on BSD 4.3 systems by setting the sticky bit
(mode 1733) on the directory.

The security risk is minimal, since all that can be done is removing
the files, not reading or writing them. Even this can be effectively
prevented by using the messures described above.

Jeff Siegal