[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: בעניין: p.s. (was: Re: Shutdown by a user)
On Sat, 22 Jul 2000, netvision wrote:
> You can shutdown by a user, by building a special program for that purpose.
> This program will use the 'setuid' command with userid root, and the
> shutdown
> command with it's flags can be hard coded, or get the flags as parameters.
the way you describe this - you ight as well give those users the root
password, as your little program can be quite trivially fooled into
running any code the user wants to. in general, one should NOT write suid
programs without proper security checking. just as an example, one could
use the LD_PRELOAD environment variable in order to load a library that
defines 'system' as a function that simply spawns a shell and attaches its
prompt to the user's terminal.
no, sudo is better here.
guy
"For world domination - press 1,
or dial 0, and please hold, for the creator." -- nob o. dy
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il