[134] in linux-security and linux-alert archive
Re: Closing suid root holes
daemon@ATHENA.MIT.EDU (alex)
Mon Mar 13 01:14:39 1995
Date: Sun, 12 Mar 1995 21:11:05 -0500 (EST)
From: alex <alex@bach.cis.temple.edu>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199503122046.VAA11184@mvmampc66.ciw.uni-karlsruhe.de>
Reply-To: linux-security@tarsier.cv.nrao.edu
On Sun, 12 Mar 1995, Thomas Koenig wrote:
> Let's call it the 'system flag'.
>
> It should have the following properties:
>
> - Files with this flag cannot be removed, renamed, (hard)linked, or
> unlinked.
>
> - A file with this flag can only be opened for writing if the
> O_SYSTEM flag is supplied to open().
>
> - An open() for a file without the system flag set fails if O_SYSTEM
> is present for opening.
>
> Let's suppose, then, that /etc/passwd has this flag set. A cracker who
> has found yet another suid program bug in a utility like sendmail could
> not open /etc/passwd for writing, because sendmail's author didn't put
> O_SYSTEM into the open call.
I think everything can be simplified by adding 'nosuid' and 'suid' flags
to filesystems like in SunOS and OSF. Assume that my partitions are like
this:
/ ext2
/usr ext2
/usr/local ext2, nosuid
Now no matter if someone found a bug in SUID program somewhere is
/usr/local/totaly-uglypath/ it won't matter because setuid programs are not
allowed on a partition!
Best wishes,
Alex
=============================================================================
CIS Laboratories email: alex@bach.cis.temple.edu
TEMPLE UNIVERSITY ayuriev@yoda.cis.temple.edu
USA Tel: 1-800-DEV-NULL
=============================================================================
