tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [PATCH] Fix system() behaviour when parameter is NULL

On Thu, Aug 28, 2008 at 03:32:20PM -0400, Steven M. Bellovin wrote:
 > > Yes.  However, is it the right one here?  If system()'s caller is
 > > set-id, I'm not convinced it will give the answer we want if the ruid
 > > and euid have different access rights on _PATH_BSHELL.
 > A different question entirely, and you may be right -- I was simply
 > answer the question about whether access() is a security hole per se.

If someone calls system() while setugid, they deserve the
consequences, so I don't think it matters.

David A. Holland

Home | Main Index | Thread Index | Old Index