Xref: utzoo comp.unix.wizards:7106 comp.bugs.sys5:375
Path: utzoo!mnetor!uunet!husc6!hao!ames!umd5!uvaarpa!virginia!scl
From: scl@virginia.acc.virginia.edu (Steve Losen)
Newsgroups: comp.unix.wizards,comp.bugs.sys5
Subject: Re: Guide to writing secure setuid programs?
Message-ID: <702@virginia.acc.virginia.edu>
Date: 15 Mar 88 15:31:06 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <1037@woton.UUCP> <8468@eddie.MIT.EDU> <391@vsi.UUCP>
Reply-To: scl@virginia.acc.Virginia.EDU (Steve Losen)
Organization: University of Va., Charlottesville, VA
Lines: 41

In article <391@vsi.UUCP> friedl@vsi.UUCP (Stephen J. Friedl) writes:
>In article <8468@eddie.MIT.EDU>, jbs@fenchurch.MIT.EDU (Jeff Siegal) writes:
>> Setting the directory mode to 777 by itself doesn't let anyone modify
>> or read anything.  All it allows people do is:
>> 
>> 	1. List the file names in the directory
>> 	2. Access files in the dirctory _according_to_their_modes.
>> 	3. Remove files from the directory.
>
>You missed at least two:
>
>	4. Rename files
>	5. Add new files
>
>What if you see a job ready to print.  You know payroll will be printing
>checks soon so you make up a file of your own checks.  When you see it
>in the queue you remove theirs and insert yours.

Sorry I started such  a  controversy  here.  I  must  agree  that  in  many
situations  you  need  a  secure  print  spooler.  My  intent was to simply
illustrate  that  in  some  situations  setuid  hassles  can   be   avoided
altogether.  One should always balance the risks of opening up permisssions
on certain files/directories with  the  possibly  hidden  risks  of  poorly
designed setuid software.

For  the  record,  the  spooler  I wrote was a shell script and we all know
setuid shell scripts are either  unsupported  (sysV)  or  a  security  hole
(BSD).  This  script  emulates  a  "spool"  command  that runs on our Prime
systems that can print to sites all over the grounds (campus). The  spooler
shell  script  puts files in a directory for a daemon to kermit (ugh!) to a
Prime system for printing. The users of this system are all academic  types
who  understand the risks, drawbacks (slowness), etc., but who nevertheless
have successfully and happily printed their jobs with  this  Rube  Goldberg
monstrosity for the past two years.

I  admit  that  this  system  was  cobbled  up  quite  hastily, but we were
expecting to get TCP/IP on the Primes real soon and well, uh, ... you  know
how these things go.
-- 
Steve Losen     scl@virginia.edu
University of Virginia Academic Computing Center