Subject: Re: replacement for /etc/passwd
To: Alan Post <apost@interwoven.com>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 12/10/2002 21:43:35
On Tue, 10 Dec 2002, Alan Post wrote:

: The current behavior *requires* either a daemon or setuid program.

What's the difference between cracking setuid in the current world and, say,
cracking setuid apost and setting *root*'s password in the new world (and,
since you've cracked the privs, adding the calling user to group wheel to do
the su root)?

I'm at a loss as to what this usefully accomplishes in terms of security.

-- 
-- Todd Vierling <tv@pobox.com>