On Wed, Jun 20, 2001 at 12:02:47AM -0600, Hubert Chan wrote: > be SUID, you're safer without it being SUID). Is there any (sane) way > of making it so that programs such as passwd, chsh, etc. don't need to > be SUID?
Not really. Not if you want to ensure that any of the data they can alter passes sanity checks despite a malicious user, which is a case you certainly have to allow for. Putting the password into a file that the user owns also allows a careless user to make it world-readable (or even writeable, eh?). Nope. SUID programs are a security risk because they offer interesting power to those who can subvert them, but they are also the way Unix systems extend restricted access to protected resources to non-root users. Rather than trying to eliminate them, which is almost certainly impossible without adding something comparable to ACLs and a raft of systemic changes (to segregate what are now fields in one record to be in separate, hence separately access-controlled files, for example), we might want to consider whether they could instead be implemented in a way that made them much less likely to be exploitable. The C language is a wonderful thing, but it offers many subtle ways to err. -- Truth in advertising is like leaven, which a woman hid in three measures of meal. It provides a suitable quantity of gas, with which to blow out a mass of crude misrepresentations into a form that the public can swallow. - Dorothy Sayers, _Murder Must Advertise_
