[Mono-dev] setuid application

Robert Jordan robertj at gmx.net
Mon Mar 2 13:11:32 EST 2009

Gladish, Jacob wrote:
> Before proceeding with my current plan, I wanted to get any feedback
> from anyone who may have explored building a mono app that has
> setuid. My application is mostly managed code, with a few p/invoke
> calls, but it's been pretty platform agnostic thus far. I need to
> have setuid privileges on my app, and the best way I have come up
> with so far is to have a small native app that acts as a host that
> has setuid on it. I certainly don't want to change the permissions on
> /usr/bin/mono. Does anyone have any other suggestions?

Employing a wrapper is a good plan, but you should sanitize
or clean the environment (i.e. wiping all vars which start with
MONO_*) before passing control to mono. Otherwise a malicious caller
might be able to instruct mono to create arbitrary files with
the ID of the setuid user.


More information about the Mono-devel-list mailing list