Path: utzoo!attcan!uunet!husc6!cmcl2!rutgers!njin!princeton!mccc!jonlab!jon
From: jon@jonlab.UUCP (Jon H. LaBadie)
Newsgroups: comp.unix.questions
Subject: Re: Setuid on expreserve and exrecover
Summary: Set group id instead
Message-ID: <452@jonlab.UUCP>
Date: 23 Jul 88 13:32:56 GMT
References: <794@pttesac.UUCP> <10800022@bradley>
Organization: 4455 Province Line Rd., Princeton, NJ 08540
Lines: 24

In article <10800022@bradley>, brian@bradley.UUCP writes:
> 
> Do us all a favor and if you are a V. system chmod 555 ex*preserve and
> chmod 777 /usr/preserve.  ex*preserve has a well-known security problem.
> If any vendor is still delivering systems with ex*preserve setuid they
> should be shot at sunrise.
>

I prefer the following scheme, it has the advantage of retaining a
degree of privacy to users preserved editor buffers.

1. Create a new, separate group, e.g. "editor"
2. Chgrp on /usr/preserve to editor
3. Chmod on /usr/preserve to 774
4. Chgrp on /usr/lib/ex*preserve and /usr/lib/ex*recover to editor
5. Chmod on /usr/lib/ex*preserve and /usr/lib/ex*recover to 2751
   i.e. set the group id bit

Now the preserve/mechanism is functional without any root permissions,
and the preserve directory is also protected.

-- 
Jon LaBadie
{att, ulysses, princeton}!jonlab!jon