[kismac] Re: suid off

On Apr 28, 2005, at 10:53 AM, Robin L Darroch robin-at-spade-men.com |KisMAC list/personal| wrote:

Apple snuck in a worthwhile security fix in the release. They turned off the ability to use the SETUID bit in file permissions which allows any user to start up an admin process. Most modern Unix systems have removed this feature as a serious security risk.

I know this is going a bit off-topic, but I'm curious to know why the SETUID bit is - in and of itself - a serious security risk. Surely as long as the process in question is appropriately secure, allowing it to run as an administrative user even though it has been called by a regular user is sometimes an appropriate way of doing things. Of course, it is the admin's responsibility to ensure that any SUID-root application or script is secure (because otherwise buffer overflow and break-out exploits could render the system insecure)... but it should be up to the admin to do that, no?

The SETUID functionality itself hasn't been disabled; only SETUID _scripts_ have been disallowed. And this is (and has been for quite some time) pretty much the standard on the unix variants I'm familiar with (Linux / BSDs). Most applications that people let run SUID root have been subjected to extra scrutiny, knowing the extra privilege they have and the damage they could cause. The same cannot be said for most shell scripts that many would create and set SUID root.

Here's a better explanation than I can give on how SUID root scripts can go bad:
http://www.samag.com/documents/s=1149/sam0106a/0106a.htm
But I'm pretty sure I've been hearing the sentiment (SUID scripts are dangerous) for as long as I've been playing with Linux (2.0 kernel?) and BSDs (Freebsd 3.1?)

 - Brian


Other related posts: