Re: "setuid(UID)" and "chmod 4550" misbehaving

[John Summerfield <debian@ComputerDatasafe.com.au>]

Will Trillich wrote:

> On Tue, Jun 22 at 08:41AM +0800, John Summerfield wrote:
>  
>
> > Will Trillich wrote:
> >
> >    
> >
> > > TASK:     allow USER1 to run a program AS USER2.
> > > SOLUTION: setuid bit (in theory, right?)
> > > PROBLEM:  theory not matching execution...
> > >
> > > we've got a little C program that must be RUN AS a certain user
> > > (cyrus) BY another user (www-data) so we figured turning on the
> > > SETUID bit would work:
> > >      
>
>  
>
> > Why would you not use sudo?
> >    
>
> you mean, have apache use sudo to change a user's email (sasl)
> password? the purpose of this gizmo is to have the web server
> set up to allow users to change their own passwords via a web
> interface.
>  
Why not? It's _exactly_ what you're trying to do with the setuid 
program. Eiher way you must authenticate the user, then run "some 
program" to make the update. Sudo is already there, and works. Your C 
program isn't yet debugged.

From a security stand-point I don't see the difference.