Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site umcp-cs.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxj!ihnp4!zehntel!hplabs!hao!seismo!umcp-cs!chris
From: chris@umcp-cs.UUCP (Chris Torek)
Newsgroups: net.bugs.4bsd
Subject: Re: SECURITY HOLE in tftpd
Message-ID: <48@umcp-cs.UUCP>
Date: Fri, 21-Sep-84 10:20:07 EDT
Article-I.D.: umcp-cs.48
Posted: Fri Sep 21 10:20:07 1984
Date-Received: Wed, 26-Sep-84 04:16:52 EDT
References: <442@unmvax.UUCP>
Distribution: net
Organization: U of Maryland, Computer Science Dept., College Park, MD
Lines: 27

Perhaps the solution to ``who is the user with no permissions'' is to
claim that every system should have a login and group name of ``guest''
(not necessarily one that can be used to log in).  That is, /etc/passwd
might have

	.
	.
	.
	guest:*:99:99:Guest account:/tmp:/bin/notashell
	.
	.
	.

and /etc/group would then have

	guest:*:99:

in it.  Then any setuid program that must have no special permissions
can use getpwnam and/or getgrnam to set its user and group IDs.

Then again, perhaps that's not the solution.  (Do I need this? :-))
-- 
(This page accidently left blank.)

In-Real-Life: Chris Torek, Univ of MD Comp Sci (301) 454-7690
UUCP:	{seismo,allegra,brl-bmd}!umcp-cs!chris
CSNet:	chris@umcp-cs		ARPA:	chris@maryland