Aucbvax.3052 fa.unix-wizards utzoo!decvax!ucbvax!unix-wizards Thu Sep 10 05:41:13 1981 Re: setuid cleared on write >From eps@UCLA-Security Thu Sep 10 05:35:22 1981 You've totally missed the point I'm trying to make. If I don't want other users to write a file then I won't leave it writable. I find it very hard to "accidentally leave a file writable" given that my umask is 022 and if I'm chmod'ing something other than 644 or 755 then I do it symbolically anyway. It makes more sense to make a file not writable than to put stupid kernel hacks in. Your suggestion would (besides inconveniencing users who have a legitimate need/right to write files they don't own) make it more likely that users who write set- programs will be careless "knowing that the system will protect them." I know of a system that is always low on disk space, so the users have (human-enforced) quotas. Does this encourage people to cut their usage? No! They don't bother to clean up fifty versions of a file because someone else will do it for them. Take some responsibility for your actions. Don't be lulled into a false sense of "security" because when someone DOES break your system you're going to be in for a BIG surprise. If you need "hand-holding" then use your Unix-given software tools to write hand-holding user-mode programs and let the people who are brave enough fend for themselves. Some days it seems that Moral Majority (inc.) has invaded my CRT as well as my TV. There are cheap forms of "insurance" against files being left writable. The easiest is some kind of "install" program to copy your executable to /whatever/bin and chown/chmod it appropriately. If you're really paranoid you could run ncheck or find on a regular basis to find each file with set-bits and make sure the protection is reasonable. I don't think this is really necessary. Ever hear the cliche "an ounce of prevention...?" (Back when 28.34952g was worth something?) --Eric /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ The opinions expressed are solely those of the author. "If you don't like it--don't use it" --David I. Bell ----------------------------------------------------------------- gopher://quux.org/ conversion by John Goerzen of http://communication.ucsd.edu/A-News/ This Usenet Oldnews Archive article may be copied and distributed freely, provided: 1. There is no money collected for the text(s) of the articles. 2. The following notice remains appended to each copy: The Usenet Oldnews Archive: Compilation Copyright (C) 1981, 1996 Bruce Jones, Henry Spencer, David Wiseman.