Path: utzoo!mnetor!uunet!husc6!ncar!gatech!mcnc!decvax!mandrill!hal!ncoast!allbery
From: allbery@ncoast.UUCP (Brandon Allbery)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <7521@ncoast.UUCP>
Date: 19 Mar 88 00:22:04 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP>
Reply-To: allbery@ncoast.UUCP (Brandon Allbery)
Followup-To: comp.bugs.sys5
Organization: Cleveland Public Access UN*X, Cleveland, Oh
Lines: 19

As quoted from <478@minya.UUCP> by jc@minya.UUCP (John Chambers):
+---------------
| In article <722@rivm05.UUCP>, ccement@rivm.UUCP (Martien F v Steenbergen) writes:
| > Second, when you really need a setuid program you'll have to check a lot
| > of permissions etc. yourself. 
| 
| This adds to my conviction that someone doesn't know what they're talking
| about.  Do you perhaps mean "setuid-root"?  If so, you are of course correct.
| If you don't understand my point, you don't know enough about Unix security
| to pontificate on the subject.
+---------------

If I wasn't *real* careful with the (setuid) program which grabs incoming
sources.misc submissions, someone could gain write access to any of my files.
Such as my .login.  This isn't a potential security hole?  (The alternative
is to make a certain directory world-writeable; not a sound idea in this case.)
-- 
	      Brandon S. Allbery, moderator of comp.sources.misc
       {well!hoptoad,uunet!hnsurg3,cbosgd,sun!mandrill}!ncoast!allbery