Re: Proposal of new group
> > I see some possibilities to make a mess with suid shutdown but not
> > much more mess than with turning power off by button
> > but if you know any exploits of suid shutdown of which I dont know
> > please tell me (Ive found nothing in manpages)
>
> Well it would be a bit weird if root-exploits were described in manpages
> wouldn't it ;)
I talked about making a mess with shutdown not root-exploits.
Such topics can be often found in manpages
> But the source might contain a buffer overflow exploit, or another
> exploit. Yes, I wrote the code myself, and there is even a comment
> in the code about running setuid in a special group. But in my experience
> _every_ setuid program has at least one hole, no matter how careful
> you are. Avoiding setuid programs (esp. setuid root) is important.
shutdown accepts no user input as far i know so how user can do
buffer overflow?
Simple enough suid programs doesnt have always holes.
And shutdown will more possibly shut computer down with making a mess
when something will go wrong.
> If you still consider doing this, at least 2 different experienced
> people should audit the program you want to make setuid (shutdown)
> to see if there are no security problems involved.
Come here and find them. I live in a deep province where nearly every computer has
windoze inside so the most experienced users i can find are on this list.
Reply to: