How can I limit access to a SUID/SGID process-image safely?

The question may seem vague but sometimes it would seem attractive to have a SUID process that is only executable by a particular set of users. Some time ago I implemented a distributed network monitoring package that had java clients talk to it remotely, and sniffers running on different servers (a very ambitious undertaking). The actual servers where run under a special group called "sly" that would in turn have access to a SUID process-image to do all the sniffing.

The child process ran as root, but could only be executed by users in the group "sly." At first this looks good. The actual server does not run with special privileges, and it would seem that if it got exploited the attacker would not gain root privileges.

However, he would gain privileges for the group "sly" that would let him sniff the local network. If he was then able to exploit the sniffer, he would gain root privileges. But he needs to exploit the server to the point of executing arbitrary code on the machine.

... more.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.