lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031206121940.GX1767@skywalker.bsws.de>
From: hb-fulldisclosure at bsws.de (Henning Brauer)
Subject: Partial Solution to SUID Problems

On Sat, Dec 06, 2003 at 02:53:58AM -0500, Todd Burroughs wrote:
> If, by "messing up with them", you mean "turning off the suid bit", that
> cannot decrease security.  If they think otherwise, they do not know
> what they talk about.  Any program that is suid or sgid can either do
> nothing for or decrease your security.  I cannot think of any possible
> way that keeping suid/sgid could increase your security.  There are some
> exceptions if you want to give people partial root access, like 'sudo'.

please explain how a user should be able to change his password 
without a setuid passwd. write access to /etc/spwd.db and pwd.db for 
everybody...?

-- 
Henning Brauer, BS Web Services, http://bsws.de
hb@...s.de - henning@...nbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ