UNIX file setuid sucurity hole?

haynes at ucbarpa.Berkeley.EDU.UUCP haynes at ucbarpa.Berkeley.EDU.UUCP
Fri Mar 13 16:46:33 AEST 1987


On our student machines we hack the kernel to prevent setting the
setuid bit by a non-privileged user.  If some user really needs it
set he can request that of root.  We don't get too many requests.
I made this change reluctantly after finding the system riddled
with hundreds of setuid shells that would let one user into another
user's account.  They were obtained by writing a game or other
utility, inviting everyone to try it, and it had a secret side
effect of creating a setuid shell.

Jim Haynes
haynes at ucscc.bitnet
haynes at ucbarpa.berkeley.edu
...ucbvax!ucscc!haynes



More information about the Comp.unix.questions mailing list