[8780] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Why you should avoid world-writable directories

daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Dec 22 17:25:17 1998

Date: 	Tue, 22 Dec 1998 11:08:27 +0000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Ben Laurie <ben@ALGROUP.CO.UK>
To: BUGTRAQ@NETSPACE.ORG

D. J. Bernstein wrote:
> Certainly setuid programs require a great deal of care. They've been
> involved in many security disasters, though far fewer than (for example)
> world-writable directories. The security community would love to see
> another portable IPC mechanism offering guaranteed user identification.
> (I suggest that kernels add a getpeeruid() system call, showing the real
> uid that called connect(), for UNIX-domain sockets and for loopback TCP
> sockets.) However, while we're waiting, we need a few setuid programs.

What's wrong with the LOCAL_CREDS option on UNIX domain sockets?

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

home help back first fref pref prev next nref lref last post