[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: [PATCH] Fix system() behaviour when parameter is NULL
On Thu, Aug 28, 2008 at 03:32:20PM -0400, Steven M. Bellovin wrote:
> > Yes. However, is it the right one here? If system()'s caller is
> > set-id, I'm not convinced it will give the answer we want if the ruid
> > and euid have different access rights on _PATH_BSHELL.
> A different question entirely, and you may be right -- I was simply
> answer the question about whether access() is a security hole per se.
If someone calls system() while setugid, they deserve the
consequences, so I don't think it matters.
David A. Holland
Main Index |
Thread Index |