[890] in linux-security and linux-alert archive
Re: [linux-security] joy
daemon@ATHENA.MIT.EDU (Uri Blumenthal)
Wed Jul 10 16:39:37 1996
From: Uri Blumenthal <uri@watson.ibm.com>
To: jordy@thirdwave.net (Jordy)
Date: Wed, 10 Jul 1996 13:36:35 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.BSI.3.91.960709234912.21750A-100000-100000@aloha.com> from "Jordy" at Jul 9, 96 11:53:35 pm
Reply-To: uri@watson.ibm.com
Jordy says:
> actually, dip does need to be setuid because it modifies the routing tables.
(:-) You got it...
> the problem with it was that it doesn't check strlen(), stupid thing...
> you know, someone should write a nice little howto file on setuid
> programming:
>
> on all input do strlen()
Not necessarily. Much better would be to input only a certain
number of bytes...
> don't use system()
"Shouldn't" is better than "don't"...
> put the full paths of all binaries when execl*()
> check eiud
Double emphatic yes!
> reset all "evil" environmental variables
(:-)
> never run a shell script from a setuid program
Oh, there still are those who do? What's their IP addresses? (:-)
> if possible, setuid to something other than root that has only the power
> to do what is needed
Plus - many things can be done with set-gid and user groups.
> possibly do what apache does? spawn new daemons as user nobody? it was
> said that apache did it the RIGHT way.
Just say - "drop the unnecessary privileges as soon as they become
unnecessary".
Oh, and truncate that signature of yours. (:-)
--
Regards,
Uri uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>