Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)

From: budney-lists-bugtraq () PEREGRINE MAYA COM (Len Budney)
Date: Fri, 8 Jan 1999 15:46:10 -0500

Never thought I'd be posting to bugtraq, but:

Darren Reed <avalon () COOMBS ANU EDU AU> wrote:

On Tue, 5 Jan 1999, D. J. Bernstein wrote:

Venema further claims that ``a set-uid posting program cannot guarantee
user identification.'' That claim is false. The user id is provided by
the standard UNIX getuid() system call.


Just to be pedantic, Venema is correct...If I find some other avenue
to obtain a different uid...getuid() will...thereafter fail to
identity correctly which user is sending the email.


Of course. If you log into my workstation as me, it will be
_impossible_ to tell who did it. If you spoof my English well enough,
you might even fool *me*. That's irrelevant. Short of divine
revelation, getuid() is the best you can do _portably_, _today_, on
_UNIX_machines_.


When all email is cryptographically signed...


[A moment of silence] Yes, we all long for that day. That day is not
today.

Len.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Len Budney                 |  Premature optimization is the root of
Maya Design Group          |  all evil.
budney () maya com            |              -- Prof. Donald Knuth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Previous By Date Next
Previous By Thread Next

Current thread: