[[Sig] Setuid -- am I doing it right?]

[Randy Kramer]

Paul,

Thanks!

I wonder if I can recompile some of my old Turbo Pascal or Visual Basic
programs under Linux? ;-)

BTW, what am I missing -- why does allowing setuid on an executable
create less of a security risk than allowing setuid on a script, except
to the extent that maybe fewer people can write a c program or
understand and modify a binary?  I guess that is the difference -- I
know that I can do anything in a c program that a script can do, whether
I can write something like `chown nobody` in c or have to set the file
parameters using something that looks more like "real" c code.  

And, if there is no less of a security risk, isn't that a variety of
"security by obscurity" (as some critics of Microsoft and proponents of
open source software deprecate)?  (I better not go there -- just an
observation -- not a question for you but more a rhetorical question for
the Microsoft critics. ;-)

Randy Kramer

Paul F.Ryan wrote:
> 
> I fought this problem years back before discovering that Linux does not
> support SETUID/SETGID on scripts, only executables.  It would e a BIG security
> hole if they allowed it...
> 
> The solution?  Write it in 'c', compile it, then use setuid/setgid.