[7475] in bugtraq
Re: who
daemon@ATHENA.MIT.EDU (Alan Cox)
Wed Jul 29 21:43:21 1998
Date: Wed, 29 Jul 1998 21:30:48 +0100
Reply-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
X-To: paul@BOEHM.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980729141932.A24141@boehm.org> from "Paul Boehm" at Jul 29,
98 02:19:32 pm
> an admin may want to use sgid/suid to prevent users from directly reading
> utmp/wtmp. i think it's good idea, not allowing every one to read files
> they don't need to read.
>
> But that group shouldn't be a general group for
> all kinds of these special permission handlings,
> cause via for example 'who' you can gain access to this group.
>
> i don't know if any distribution defaults to setting any group permissions
> but many sysadmins i know do so.
If you setuid arbitary programs without reviewing them you get hurt. Thats
to say arbitary programs should not be properly behaved and not do stupid
things based on third party actions. They can't however protect people
from a sysadmin who put 's' bits where he likes without checking the code.
Alan
