Subject: Re: Addition to force open to open only regular files
To: matthew green <firstname.lastname@example.org>
From: Robert Elz <kre@munnari.OZ.AU>
Date: 11/13/2000 18:27:15
Date: Mon, 13 Nov 2000 21:02:27 +1100
From: matthew green <email@example.com>
| to a significant portion of us, such an audit is *never* good enough,
The whole notion of setuid depends upon confidence in the program.
It is an "all or nothing" kind of priv granting - the only way to
safely turn on a setuid bit, ever, is to have confidence in all of the
code that is being affected. It has always been that way - the only
remedy to this is to switch to some other priv model entirely.
| i wish it were that simple. (c) makes it "impossible."
Fortunately (c) is irrelevant - you can't possibly be asked to guarantee
that all code added by anyone, ever, in the future, will be safe (which
was what (c) was requesting). Caveat Emptor is important - those who
add the setuid programs must take responsibility for their actions.