1 |
>>>>> On Sun, 29 Jul 2018, Michael Orlitzky wrote: |
2 |
|
3 |
> After thinking about this for a while, I think we should ignore setgid |
4 |
> but not setuid executables. The problem with setuid and a non-root owner |
5 |
> is that the owner can always exploit the situation: |
6 |
|
7 |
> Suppose /bin/foo is owned by "foo" and setuid. If root (or any other |
8 |
> privileged user) is about to run /bin/foo, then the "foo" user can |
9 |
> simply strip away the setuid bit and fill /bin/foo with malicious code. |
10 |
|
11 |
Staying with the man:man example, how would anybody become the "man" |
12 |
user, in the first place? That user has /bin/false as a shell and no |
13 |
valid password. |
14 |
|
15 |
> The same situation with setgid is safe because (as far as I know) |
16 |
> members of the group can't strip off the setgid bit. |
17 |
|
18 |
Setgid executables shouldn't be group writable, so I believe that part |
19 |
of the test is fine as-is in v1 of your patch. |
20 |
|
21 |
Ulrich |