Xref: utzoo comp.unix.wizards:7423 comp.bugs.sys5:412
Path: utzoo!mnetor!uunet!mcvax!ukc!warwick!cudcv
From: cudcv@daisy.warwick.ac.uk (Rob McMahon)
Newsgroups: comp.unix.wizards,comp.bugs.sys5
Subject: Re: Guide to writing secure setuid programs?
Message-ID: <506@sol.warwick.ac.uk>
Date: 26 Mar 88 19:01:42 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <1037@woton.UUCP> <700@virginia.acc.virginia.edu> <7616@oberon.USC.EDU> <8468@eddie.MIT.EDU>
Reply-To: cudcv@cu.warwick.ac.uk (Rob McMahon)
Organization: Computing Services, Warwick University, UK
Lines: 20

In article <8468@eddie.MIT.EDU> jbs@eddie.MIT.EDU (Jeff Siegal) writes:
|In article <7616@oberon.USC.EDU> blarson@skat.usc.edu (Bob Larson) writes:
|>about setuid lp programs.
|Setting the directory mode to 777 by itself doesn't let anyone modify
|or read anything.  All it allows people do is:
|
|	1. List the file names in the directory
|	2. Access files in the dirctory _according_to_their_modes.
|	3. Remove files from the directory.

	4. Add files (or links) to the directory.

If you're not careful Joe User can get files printed out which he has no
read permission to by making links, symbolic links, into this directory.

Rob
-- 
UUCP:   ...!mcvax!ukc!warwick!cudcv	PHONE:  +44 203 523037
JANET:  cudcv@uk.ac.warwick.cu          ARPA:   cudcv@cu.warwick.ac.uk
Rob McMahon, Computing Services, Warwick University, Coventry CV4 7AL, England