LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

suid-binary vulnerabilities

suid-binary vulnerabilities

Posted Oct 29, 2010 13:41 UTC (Fri) by marcH (subscriber, #57642)
In reply to: suid-binary vulnerabilities by kees
Parent article: Two glibc vulnerabilities

> Why? If this is about whole-system security, there will still be binaries with CAP_SETUID (su, sudo, newrole, seunshare, etc).

"Let's not bother making the windows more secure, because the front door sucks anyway".

Actually, let's bother. Because it's progress:
- progress towards the entire perimeter being finally secured.
- some malware knows only about windows. Being hacked once a month is progress compared to twice.

> It absolutely reduces the attack surface in general,...

Agreed!

(Log in to post comments)

suid-binary vulnerabilities

Posted Oct 29, 2010 15:14 UTC (Fri) by kees (subscriber, #27264) [Link]

Right, I don't meant to say it shouldn't be done. Getting rid of the setuid bit is a great goal. I was just trying to point out that it does not solve problems like those recently found in glibc. It _does_, of course, kill a whole separate set of problems, and I love that. :) I just don't want people to think dropping setuid bits is a magic bullet for solving all local privilege escalations.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds