[kismac] Re: suid off
- From: Brad Knowles <brad@xxxxxxxxxxxxxxxxxxx>
- To: kismac@xxxxxxxxxxxxx
- Date: Thu, 28 Apr 2005 21:02:04 +0200
At 7:41 AM -0700 2005-04-28, Rob Frohne wrote:
Apple snuck in a worthwhile security fix in the release. They turned off
the ability to use the SETUID bit in file permissions which allows any
user to start up an admin process. Most modern Unix systems have removed
this feature as a serious security risk.
The issue is not setuid per se, but setuid scripts. It is
notoriously hard to program a script in a sufficiently defensive way
that it can protect itself against all the possible attacks that
could be aimed its way, if it were run setuid. It's much easier to
write programs in languages such as C that can be safely setuid,
although it does still take some care.
But setuid scripts are pretty much impossible to fully secure.
I'm not surprised that Apple decided to turn off the ability to have
To be honest, I don't see this as a problem. So you have to type
in your admin password when you go to start doing WiFi
sniffing/scanning in passive mode -- big deal.
Active mode doesn't require an admin password, and you shouldn't
be doing this sort of stuff if you're not capable of doing
administrative tasks on the machine -- mucking about replacing the
standard system-provided device drivers with customized third-party
drivers is not for the faint-of-heart.
Brad Knowles, <brad@xxxxxxxxxxxxxxxxxxx>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
Other related posts: