Re: Why you should avoid world-writable directories

From: Ben Laurie (benat_private)
Date: Tue Dec 22 1998 - 03:08:27 PST

Next message: Ben Winslow: "Re: Ircii-epic: about dcc hijacking... (fwd)"

Previous message: Sergey V. Kolychev: "New perl module Net::RawIP"
Maybe in reply to: D. J. Bernstein: "Why you should avoid world-writable directories"
Next in thread: Darren Reed: "Re: Why you should avoid world-writable directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

D. J. Bernstein wrote:
> Certainly setuid programs require a great deal of care. They've been
> involved in many security disasters, though far fewer than (for example)
> world-writable directories. The security community would love to see
> another portable IPC mechanism offering guaranteed user identification.
> (I suggest that kernels add a getpeeruid() system call, showing the real
> uid that called connect(), for UNIX-domain sockets and for loopback TCP
> sockets.) However, while we're waiting, we need a few setuid programs.

What's wrong with the LOCAL_CREDS option on UNIX domain sockets?

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: benat_private |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

Next message: Ben Winslow: "Re: Ircii-epic: about dcc hijacking... (fwd)"
Previous message: Sergey V. Kolychev: "New perl module Net::RawIP"
Maybe in reply to: D. J. Bernstein: "Why you should avoid world-writable directories"
Next in thread: Darren Reed: "Re: Why you should avoid world-writable directories"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:25:42 PDT