[9062] in bugtraq
Re: Tracing by uid u after root does setuid(u)
daemon@ATHENA.MIT.EDU (Gene Spafford)
Fri Jan 15 01:35:44 1999
Date: Wed, 13 Jan 1999 21:35:21 -0500
Reply-To: Gene Spafford <spaf@CS.PURDUE.EDU>
From: Gene Spafford <spaf@CS.PURDUE.EDU>
X-To: "D. J. Bernstein" <djb@CR.YP.TO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Message from "D. J. Bernstein" <djb@CR.YP.TO> of "Wed, 13 Jan
1999 02:39:16 +0000" <19990113023916.25935.qmail@cr.yp.to>
Isn't this a bit of a stretch?
> Many programs that use setuid() can be exploited this way. For example,
> you lose all security if you use the chdir()/setuid() mechanism
> suggested by Steve Bellovin and Gene Spafford.
*All* security? Maybe I'm particularly dense this evening, but I
don't see how tracing execution causes you to lose "all security"
unless you are defining that term very differently from the way I do.
--spaf
