On Sun, Nov 05, 2000 at 08:43:20PM +1030, Brett Lymn wrote:
> >A nice mechanism is to have programs that used to be setuid become setgid;
> >they can then exec tiny setuid programs that are executable only by the
> >appropriate group, which can then pass them back the descriptors they need.
> >This technique is simple, elegant, and has the benefit that it completely
> >isolates all code that runs with root privileges, so it's much easier to
> >verify.
> >
> 
> But it does lead to a proliferation of setuid programs which, in
> itself, is not good.  If someone can get into the right group then
> they will then have a nice array of setuid programs that will give
> them all sorts of access.

I think you rather seriously misunderstand, or haven't thought through
the issue thoroughly.

It is quite unlikely, using this approach, to end up with *more* setuid
programs than you already had; the difference is that rather than having
a large setuid program that anyone can run and that you have to trust to
drop privs appropriately, or spend a lot of time analyzing, you have a
small setuid program that can only be run by members of one group (which
you don't actually put anyone in!) and only does one thing.

You also appear to be laboring under the misconception that it would
be advisable to use setgid to the _same group_ to protect access to
the extracted setuid bits of our various setuid programs; this would
seem to me to be rather obviously not the right idea.