Re: set-UID
From: eŽik (et57__DELETE__THIS___at_hotmail.com)
Date: 09/09/03
- Next message: Richard Caley: "Re: file permission question"
- Previous message: Alessandro Selli: "Re: file permission question"
- In reply to: Alun Jones [MS MVP]: "Re: set-UID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 09 Sep 2003 11:45:53 +0200
On Mon, 08 Sep 2003 21:07:37 GMT, the right honourable alun@texis.com
(Alun Jones [MS MVP]) wrote:
>In article <tgqplvgugmp1sp7j9ta6rfdv6rprv39538@4ax.com>, eŽik
><et57__DELETE__THIS__@hotmail.com> wrote:
>>What is a set-UID progam and why is it baaaaad from a security
>>standpoint ?
>
>Put very simply, it's a program that has been created with special flags
>that make it run, not under the security context of the user who starts it
>up, but under the security context of the user who created / installed it.
>
>That user context is usually the "root" account - the superuser account in
>Unix, and which can do anything.
>
>The reason it's bad is that all programs have bugs. Some of those bugs are
>"exploitable" - they can be used to run a piece of code that an attacker
>creates. If you have an exploitable program that automatically sets the
>user ID (hence, "setuid") to "root", then you are handing the keys to your
>system over to an attacker.
>
>Alun.
>~~~~
>
>[Please don't email posters, if a Usenet response is appropriate.]
thank you for the enlightenment.
most appreciated.
frgr
Erik
- Next message: Richard Caley: "Re: file permission question"
- Previous message: Alessandro Selli: "Re: file permission question"
- In reply to: Alun Jones [MS MVP]: "Re: set-UID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
