How to securely manipulate user files
Here is a thesis:
The only way to securely do operations on user files is to do them as the user.
(You may also add 'correctly' to this.)
Over and over again I have seen root-run administrative programs and scripts try to manipulate user files in various ways, and over and over again I have seen them have problems and security holes. This is not because they were badly written, it's because there are a lot of race conditions lurking in the underbrush unless you are extraordinarily aware and careful.
The only genuinely reliable way out is to get rid of the entire problem. The problem is that an attacker is tricking you into manipulating the wrong files with special privileges, so get rid of the special privileges; when you manipulate files, do all of the manipulation as the user themselves. As a bonus you will get around any NFS root permission problems, where root actually has less privileges than the regular user does, not more.
(Please don't do this by temporarily switching the user's UID and then switching back, because that way you still have elevated privileges, even if they're latent.)
This is relatively easy in most shell scripts if you make yourself
runas command that just setuids (thoroughly) to the user
and runs a command for you. The simple use of it is to just run every
command that touches user files as the user by putting '
in front of the command. The more advanced usage is to split your shell
script or program into multiple scripts, and then use
runas in your
main script to run the as-user script with appropriate arguments.
(You don't want to use
su because it does too much; among other
things, it runs a shell, often the user's shell, and users can have
.cshrcs. I've been there and stubbed my