On Fri, 10 Dec 1999, Steve Lee wrote:
>
> what does it mean to run something setuid
It means that when you run the program, the program changes to the uid of
the owner of the program. So if you have a program and its owned by root,
and you make it setuid root and executable (chmod 4755), then anyone who
runs that program, will be doing the operations of that program as if they
were in fact root.
Take "passwd" for example:
-r-s--x--x 1 root root 22312 Sep 25 10:52 /usr/bin/passwd
You know, that as user joeblow, you do not have write permission to
/etc/passwd or /etc/shadow. Yet you can run the "passwd" program, and
change your passwd (which writes to /etc/passwd and /etc/shadow). How is
this possible? Because the program is "setuid root", meaning when it
runs, it runs as if it were root. So that even though you cannot write
/etc/passwd, the /usr/bin/passwd program CAN since it runs as if it were
root.
setuid programs can open a whole slew of security problems. Race
conditions, incomplete path names, poor enviroment, etc, are just the tip
of the iceburg. Lots of caution to anyone who decides to setuid a
program.
Brian
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
-----------------------------------------------------
Brian Feeny (BF304) [EMAIL PROTECTED]
318-222-2638 x 109 http://www.shreve.net/~signal
Network Administrator ShreveNet Inc. (ASN 11881)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
