In message <200011032342.PAA45052@garnet.juniper.net>, Simon Gerraty writes:
>On Fri, 03 Nov 2000 10:58:41 PST, Thor Lancelot Simon wrote:
>>A nice mechanism is to have programs that used to be setuid become setgid;
>>they can then exec tiny setuid programs that are executable only by the
>>appropriate group, which can then pass them back the descriptors they need.
>>This technique is simple, elegant, and has the benefit that it completely
>>isolates all code that runs with root privileges, so it's much easier to
>>verify.
>
>Yep.  I've used a simple set-uid tool which does binding of reserved
>sockets this way.  An ftp proxy for instance calls bind_port() which
>does the binding directly if possible, otherwise invokes the set-uid
>tool to do it.  The library call and tool are both compiled from the
>same .c file - so its easy to be sure they do things the same way.

Right.  I described a similar scheme in my Firewalls book.

		--Steve Bellovin