Re: SUID program removal

From: Seth Arnold (sarnold@wirex.com)
Date: 10/21/01


Date: Sat, 20 Oct 2001 21:33:11 -0700
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux@securityfocus.com
Subject: Re: SUID program removal
Message-ID: <20011020213311.A27112@wirex.com>

On Fri, Oct 19, 2001 at 04:29:33PM -0400, Jason Giglio wrote:
> >
> > And of course, one should never, never, NEVER make ANY system
> > executable world writable! I prefer to keep them at root.root 0555 or
> > at times even 0511 unless there is specific reason to do otherwise.
> >
>
> What's the point of 511 rather than 500?

Sometimes, one wants standard users to be able to execute the setuid
programs. Afterall, if one didn't want anyone but root to run the
program, it doesn't really need the setuid bit anyway, does it? :)



Relevant Pages

  • Re: su not working?
    ... The setuid bit permits the program to run /as if/ it's owner had ... it is root, and execute things that only root can execute. ...
    (alt.os.linux.suse)
  • Re: tracing function calls
    ... AFAIR the result when trying without root privileges depends ... execute it anyway but ignore the setuid bit. ... port number, but connecting to a port doesn't require any ...
    (comp.os.linux.development.apps)
  • Re: RFC: disablenetwork facility. (v4)
    ... we don't setuid to root, or that we just don't raise privileges ... make a non-suid version and execute that instead. ... Does setresuid case problems? ...
    (Linux-Kernel)
  • Re: getpwnam fails in setuid program using NIS+ on HP-UX 11
    ... >> the setuid bit set and the program is executed by root. ... >> I remove the setuid bit it works correctly under all circumstances. ... >> If I execute it using tusc it also works ... in `saved uid', man getresuid for details) and return it after getpwnam. ...
    (comp.unix.programmer)
  • Re: access control.
    ... >> running it will create temporary files and output files. ... yes "Saved setUID" exists in aix, ... say dir/a dir/b and dir/c have execute permission only for "admin". ...
    (comp.unix.programmer)