[Linux-disciples] Setuid/setgid
Dylan Thurston
dthurston at barnard.edu
Sat Nov 19 23:39:43 EST 2005
On Sat, Nov 19, 2005 at 11:22:58PM -0500, Stephen R Laniel wrote:
> When people warn against running programs setuid/setgid --
> such as <http://www.gtk.org/setuid.html> -- are they warning
> against setting that bit at all, or specifically warning
> against setuid root? Because isn't it the case that running
> setuid with a 'nobody'-type user is actually *more* secure?
You have to be very careful about what other files that user can write
to. For instance, if you have two programs that are setuid 'nobody',
then one could potentially compromise the other. There were several
security bugs involving programs that were setuid 'games', for
instance.
Peace,
Dylan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.bostoncoop.net/pipermail/linux-disciples/attachments/20051119/b7e9433c/attachment.pgp
More information about the Linux-disciples
mailing list