From dawagner@tucson.princeton.edu Sat Nov  5 14:28:34 EST 1994
Article: 9159 of comp.security.unix
Newsgroups: comp.security.unix
Path: princeton!tucson.princeton.edu!dawagner
From: dawagner@tucson.princeton.edu (David A. Wagner)
Subject: Usefulness of a setuid nobody shell
Message-ID: <1994Nov5.185930.3964@Princeton.EDU>
Summary: Shouldn't there be some way to revoke privileges in Unix?
Originator: news@hedgehog.Princeton.EDU
Sender: news@Princeton.EDU (USENET News System)
Nntp-Posting-Host: tucson.princeton.edu
Organization: Princeton University
Date: Sat, 5 Nov 1994 18:59:30 GMT
Lines: 22

A while ago I had the chance to make myself a setuid nobody
shell [well, actually a tiny C program which execs /bin/sh].
Don't get me wrong: I didn't want this for nefarious purposes.
Instead, I've put it to good use several times when I want
to run a program without giving the program access to all
my files.

[Example scenarios: you want to run an IRC client, or test some
code which you got from the net, or you want to run a game from
someone else's public directory -- and you want to be safe from
Trojan horses.  Yes, I know this doesn't protect you from a
Trojan which mails /etc/passwd to a bad guy, but it's much
better than nothing.]

Shouldn't Unix have a way to temporarily revoke privileges?

In other words, suppose everyone had access to a setuid nobody
program like this -- wouldn't this be an enormously useful
little tool?  Any comments?

-------------------------------------------------------------------------------
David Wagner                                             dawagner@princeton.edu