union of effective and real permissions with setuid
utzoo!decvax!ucbvax!unix-wizards
utzoo!decvax!ucbvax!unix-wizards
Tue Sep 8 02:58:51 AEST 1981
>From Wales at UCLA-SECURITY Mon Sep 7 23:44:38 1981
My first reaction to the suggestion that setuid programs have permissions
which are the union of the real and effective uids' permissions is that
it will complicate the UUCP situation.
Most setuid programs, it is true, are setuid in order to give the invoker
some permissions which he did not previously have (e.g., access or modify
a critical file in a controlled fashion). These programs would probably
benefit from the "union" mod -- assuming they were setuid to something
other than root; a setuid-to-root program already has all the permissions
in the world anyway.
The UUCP programs, on the other hand, are setuid in order to RESTRICT the
invoker's abilities. Above all, you DON'T want UUCP et al. to have the
permissions of the superuser (that's why they are setuid to "uucp" rather
than "root"). If I understand your suggestion correctly, a "uucico" spun
off by "cron" (which, in Berkeley UNIX at least, is executed as root)
would have superuser permissions (real uid = "root") as well as "uucp"
permissions (effective uid = "uucp"). This, I feel, is unacceptable.
I realize that this is a complex issue, because some setuid programs (owned
by someone other than root) might want the real uid's permissions, and some
might not. If this "union" mod gets put in, there had better be a reasonable
way that a program like UUCP can specify that it wants ONLY the effective
uid's permissions.
-- Rich Wales
-------
More information about the Comp.unix.wizards
mailing list