unexpected alarms

Tom Truscott trt at rti-sel.UUCP
Thu Jan 17 04:20:31 AEST 1985


>           On the Correctness of Set-User-ID programs
>                     Tom Truscott (duke!trt)
>                     James Ellis  (duke!jte)
>The set-user-id (SUID) capability is a patented feature of UN*X,
>and is used by many programs (including Duke's Usenet news
>program), yet we know of no document which describes how to write
>secure SUID programs.  ...
		from net.unix-wizards, late 1981 (?)

And we *still* know of no such document!!
(The above old article discussed instead "some of the pitfalls
that await designers of such programs.")
The "UNIX Programming - Second Edition" paper, by Kernighan
and Ritchie, deserves to be expanded to book length
and have a chapter on "obscure pitfalls."
Alas, it would probably never be a bestseller.

I wonder if secure SUID programs are actually feasible?
It was bad enough back in UNIX V7 days, with alarms and The Environment,
but now we have 4.2BSD with job control, and quotas!
There are twice as many system calls to worry about.
I bet you could have a lot of fun just with "setrlimit."
Now, these new features are too useful to be abandoned
simply because they have security pitfalls,
and I suspect other equally expressive operating systems
have equally impressive security hazards,
but the question is can anything be done about it?
Have we lost control of UNIX security?
	Tom Truscott



More information about the Comp.unix.wizards mailing list