Subject: Re: Addition to force open to open only regular files
To: matthew green <>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-kern
Date: 11/13/2000 18:27:15
    Date:        Mon, 13 Nov 2000 21:02:27 +1100
    From:        matthew green <>
    Message-ID:  <>

  | to a significant portion of us, such an audit is *never* good enough,

The whole notion of setuid depends upon confidence in the program.
It is an "all or nothing" kind of priv granting - the only way to
safely turn on a setuid bit, ever, is to have confidence in all of the
code that is being affected.   It has always been that way - the only
remedy to this is to switch to some other priv model entirely.

  | i wish it were that simple.  (c) makes it "impossible."

Fortunately (c) is irrelevant - you can't possibly be asked to guarantee
that all code added by anyone, ever, in the future, will be safe (which
was what (c) was requesting).  Caveat Emptor is important - those who
add the setuid programs must take responsibility for their actions.