Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site rti-sel.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!bellcore!decvax!mcnc!rti-sel!trt From: trt@rti-sel.UUCP (Tom Truscott) Newsgroups: net.unix-wizards Subject: Re: unexpected alarms Message-ID: <64@rti-sel.UUCP> Date: Wed, 16-Jan-85 13:20:31 EST Article-I.D.: rti-sel.64 Posted: Wed Jan 16 13:20:31 1985 Date-Received: Sat, 19-Jan-85 00:36:18 EST References: <7175@brl-tgr.ARPA> Organization: Research Triangle Institute, NC Lines: 29 > On the Correctness of Set-User-ID programs > Tom Truscott (duke!trt) > James Ellis (duke!jte) >The set-user-id (SUID) capability is a patented feature of UN*X, >and is used by many programs (including Duke's Usenet news >program), yet we know of no document which describes how to write >secure SUID programs. ... from net.unix-wizards, late 1981 (?) And we *still* know of no such document!! (The above old article discussed instead "some of the pitfalls that await designers of such programs.") The "UNIX Programming - Second Edition" paper, by Kernighan and Ritchie, deserves to be expanded to book length and have a chapter on "obscure pitfalls." Alas, it would probably never be a bestseller. I wonder if secure SUID programs are actually feasible? It was bad enough back in UNIX V7 days, with alarms and The Environment, but now we have 4.2BSD with job control, and quotas! There are twice as many system calls to worry about. I bet you could have a lot of fun just with "setrlimit." Now, these new features are too useful to be abandoned simply because they have security pitfalls, and I suspect other equally expressive operating systems have equally impressive security hazards, but the question is can anything be done about it? Have we lost control of UNIX security? Tom Truscott