Re: suid bit on directories

Dax Kelson (dax@gurulabs.com)
Mon, 20 May 2002 21:49:34 -0600 (MDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Davis: "cardbus/pcmcia/pci bridge problems?"
Previous message: Brian Gerst: "[PATCH] remaining cpu_has cleanups"
In reply to: Jesse Pollard: "Re: suid bit on directories"
Next in thread: Bill Davidsen: "Re: suid bit on directories"

On Mon, 20 May 2002, Jesse Pollard wrote:

> That is NOT wrong. The files belong to the server. Not a user. I've been
> running a server that way for years.

This is insecure.

A user has a defined security context. If the user can create code that
is then executed in a different security context (user httpd/nobody), then
you've got a potential problem. If you have multiple users who can
create code that executes in the *same* security context, you have a
recipe for disaster.

user1 can write a web app the delete/modifies the web app, or web app
created files of user2.

Dax Kelson
Guru Labs

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul Davis: "cardbus/pcmcia/pci bridge problems?"
Previous message: Brian Gerst: "[PATCH] remaining cpu_has cleanups"
In reply to: Jesse Pollard: "Re: suid bit on directories"
Next in thread: Bill Davidsen: "Re: suid bit on directories"