httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Richards <>
Subject Re: setuid control WITHOUT running as root
Date Mon, 03 Jun 1996 16:29:52 GMT
>>>>> "Robert" == Robert S Thau <> writes:

Robert> If by "that kind of security hole", you mean giveaway chowns,
Robert> then it's not a security hole at all.  It's a feature that has
Robert> no severe security implications (because the giveaway chown
Robert> turns off the suid bit), *unless* something else (like a
Robert> wrapper) comes along and treats file ownership in that
Robert> environment for more than it's worth.  (The worst thing it
Robert> ordinarily does is allow users to evade disk quotas, so it
Robert> isn't a useful option on systems that have quotas, but
Robert> everyone knows that going in).

Giving away files is more of a security risk than you think. Consider
files such as .rhosts etc.

View raw message