Re: set-UID
From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 09/08/03
- Next message: Don Jvax: "file permission question"
- Previous message: e展k: "set-UID"
- In reply to: e展k: "set-UID"
- Next in thread: e展k: "Re: set-UID"
- Reply: e展k: "Re: set-UID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 08 Sep 2003 21:07:37 GMT
In article <tgqplvgugmp1sp7j9ta6rfdv6rprv39538@4ax.com>, e展k
<et57__DELETE__THIS__@hotmail.com> wrote:
>What is a set-UID progam and why is it baaaaad from a security
>standpoint ?
Put very simply, it's a program that has been created with special flags
that make it run, not under the security context of the user who starts it
up, but under the security context of the user who created / installed it.
That user context is usually the "root" account - the superuser account in
Unix, and which can do anything.
The reason it's bad is that all programs have bugs. Some of those bugs are
"exploitable" - they can be used to run a piece of code that an attacker
creates. If you have an exploitable program that automatically sets the
user ID (hence, "setuid") to "root", then you are handing the keys to your
system over to an attacker.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | alun@texis.com. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
- Next message: Don Jvax: "file permission question"
- Previous message: e展k: "set-UID"
- In reply to: e展k: "set-UID"
- Next in thread: e展k: "Re: set-UID"
- Reply: e展k: "Re: set-UID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
