inheritable set [was Re: caps in elf headers: use the sticky bit!]

Pavel Machek (
Sat, 17 Apr 1999 15:11:45 +0200


> In traditional unix, every utility has inheritable set set to FULL by
> default. I do not think it is good idea to change that.
> I have to disagree; making inheritible set to be NULL by default, and
> only allowing someone with privileges to set the inheritable set is
> extremely important.
> Consider that there are many security holes in Unix which are caused by
> the fact that by default processes inherit full privleges. For example,
> consider the old security problem where /usr/ucb/Mail used the "more"
> pager, and you could cause "more" to cause a shell to be executed by
> using the '!' command to more. Since /usr/ucb/Mail used to be setuid
> root, you could get a root shell that way! Oops. This has been fixed
> in modern Unix systems, but shows that you have to be extremely paranoid
> when you write setuid programs, less you fall into similar traps.

Which only means that "more" should have inheritable set equal to
zero. I _still_ do not see why setting inheritable set should be
privileged operation. Secure programs should not execute external
applications of normal users. [Do you aim at /usr/ucb/Mail being
safelly able to execute user-supplied programs? That would be
NICE... but can you make it unix?]

Ok, given example with "more"... I do not think inheritable set of
"more" set to NULL would help: even if it was that way, shell executed
from more would have uid == 0 and no privileges. But what user owns
/etc/passwd? uid == 0. And I've got a shell with... uid == 0. So I do
not need any privilege (it is owned by same uid!) to edit /etc/passwd
and you are screwed; anyway. I could this be solved in "pure
capabilities" system, but I do not see how you want to fit protection
against "more" attack and still be unix.


I'm really 	   Pavel
Look at ;-).

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to Please read the FAQ at