| 1 |
>>>>> On Sun, 29 Jul 2018, Michael Orlitzky wrote: |
| 2 |
|
| 3 |
> After thinking about this for a while, I think we should ignore setgid |
| 4 |
> but not setuid executables. The problem with setuid and a non-root owner |
| 5 |
> is that the owner can always exploit the situation: |
| 6 |
|
| 7 |
> Suppose /bin/foo is owned by "foo" and setuid. If root (or any other |
| 8 |
> privileged user) is about to run /bin/foo, then the "foo" user can |
| 9 |
> simply strip away the setuid bit and fill /bin/foo with malicious code. |
| 10 |
|
| 11 |
Staying with the man:man example, how would anybody become the "man" |
| 12 |
user, in the first place? That user has /bin/false as a shell and no |
| 13 |
valid password. |
| 14 |
|
| 15 |
> The same situation with setgid is safe because (as far as I know) |
| 16 |
> members of the group can't strip off the setgid bit. |
| 17 |
|
| 18 |
Setgid executables shouldn't be group writable, so I believe that part |
| 19 |
of the test is fine as-is in v1 of your patch. |
| 20 |
|
| 21 |
Ulrich |
Archives