bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] remove group-writability for setuid programs


From: Paul Jarc
Subject: Re: [bug-inetutils] remove group-writability for setuid programs
Date: Mon, 05 Jan 2009 15:03:59 -0500
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux)

Sergey Poznyakoff <address@hidden> wrote:
> But the main supposition behind make install was that it sets a
> rather liberal permissions, expecting the user to tighten them as he
> feels fit by using proper umask settings.

umask doesn't affect the "install" program:
# umask
0022
# install /bin/true -o root -m 4775 /tmp/true
# ls -l /tmp/true
-rwsrwxr-x 1 root default 642704 Jan  5 14:57 /tmp/true

If you want umask to take effect, don't specify the permissions in the
arguments for install.  Instead, use chmod after installing, and
modify only the bits you care about:
# install program -o root /bindir/program
# chmod u+s /bindir/program

Even if umask is used, the user may not have thought about setuid
programs when setting their umask.  For setuid programs, you will
cause far less damage by being too cautious than by being too
permissive.  It's far better to be restrictive, and let the user chmod
the program afterwards if they need to, than to create a security
hole.


paul




reply via email to

[Prev in Thread] Current Thread [Next in Thread]