Bugtraq mailing list archives

Re: Why you should avoid world-writable directories

From: ben () ALGROUP CO UK (Ben Laurie)
Date: Tue, 22 Dec 1998 11:08:27 +0000


D. J. Bernstein wrote:

Certainly setuid programs require a great deal of care. They've been
involved in many security disasters, though far fewer than (for example)
world-writable directories. The security community would love to see
another portable IPC mechanism offering guaranteed user identification.
(I suggest that kernels add a getpeeruid() system call, showing the real
uid that called connect(), for UNIX-domain sockets and for loopback TCP
sockets.) However, while we're waiting, we need a few setuid programs.


What's wrong with the LOCAL_CREDS option on UNIX domain sockets?

Cheers,

Ben.

--
Ben Laurie            |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: ben () algroup co uk |
A.L. Digital Ltd,     |Apache-SSL author     http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache/

Current thread:

Re: Why you should avoid world-writable directories Ben Laurie (Dec 22)
- Re: Why you should avoid world-writable directories Darren Reed (Dec 22)
- Re: Why you should avoid world-writable directories Rich Burroughs (Dec 22)
- Re: Why you should avoid world-writable directories Wietse Venema (Dec 22)
- <Possible follow-ups>
- Re: Why you should avoid world-writable directories Nick Maclaren (Dec 22)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)
  - Re: Why you should avoid world-writable directories Alan Cox (Dec 24)
  - Administrivia Aleph One (Dec 26)
  - Nlog 1.1b released - security holes fixed HD Moore (Dec 26)
    - referer problems... Spencer Portee - Yard Productions (Dec 26)
- Re: Why you should avoid world-writable directories Jason Thorpe (Dec 24)

(Thread continues...)