Here are a few key points to keep in mind, with regard to security:
- The use of setuid binaries, if poorly designed, is a security risk. Particularly and especially for setuid-root programs, they should be designed and tested to ensure that, while the process is in an elevated privileged state, it never spawns a shell or blindly accepts user commands (which are then internally executed).
- You must check the failure case of any of the set*id() system calls (setuid(2), seteuid(2), setreuid(2), setresuid(2)).
Consider this pseudo-code:
run setuid-root program; EUID = 0 do required work as rootswitch to 'normal' privileges: setuid(getuid()) do remaining work as non-root [...]
Think about this: what if the preceding