Re: [AD] Possible bug in src/libc.c

[ Thread Index | Date Index | More lists.liballeg.org/allegro-developers Archives ]


On Sat, Feb 17, 2001 at 12:09:54AM +0100, Stepan Roh wrote:
> There is also euidaccess() which tests for effective ids, but that's
> glibc's extension. I checked its code and it is a little bit better, but
> generally the same as my code (with exception to supplementary groups
> checking). But if anyone is making Allegro programs setuid, the smallest
> problem is that FA_RDONLY is not set on proper files. Making any program
> setuid is a big security (and, in case of Allegro and svgalib or DGA,
> system stability) hole. He will be punished by something else :-).

I think it's sufficient just to check whether the effective uid
is 0, in which case the file is not read-only.  99% of Allegro
programs running with a different euid will have the euid of
root, in which case they have write access to all existing
files.

George



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/