[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-inetutils] remove group-writability for setuid programs
From: |
Paul Jarc |
Subject: |
Re: [bug-inetutils] remove group-writability for setuid programs |
Date: |
Mon, 05 Jan 2009 15:03:59 -0500 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) |
Sergey Poznyakoff <address@hidden> wrote:
> But the main supposition behind make install was that it sets a
> rather liberal permissions, expecting the user to tighten them as he
> feels fit by using proper umask settings.
umask doesn't affect the "install" program:
# umask
0022
# install /bin/true -o root -m 4775 /tmp/true
# ls -l /tmp/true
-rwsrwxr-x 1 root default 642704 Jan 5 14:57 /tmp/true
If you want umask to take effect, don't specify the permissions in the
arguments for install. Instead, use chmod after installing, and
modify only the bits you care about:
# install program -o root /bindir/program
# chmod u+s /bindir/program
Even if umask is used, the user may not have thought about setuid
programs when setting their umask. For setuid programs, you will
cause far less damage by being too cautious than by being too
permissive. It's far better to be restrictive, and let the user chmod
the program afterwards if they need to, than to create a security
hole.
paul