Date: Mon, 7 Jun 2004 01:30:51 -0700 From: David Schultz <das@FreeBSD.ORG> To: "Stefan =?us-ascii:iso-8859-1?Q?E=DFer?=" <se@FreeBSD.ORG>, hackers@FreeBSD.ORG Subject: Re: Semantics of "seteuid(uid)" vs. "setreuid(-1,uid)" Message-ID: <20040607083051.GA13982@VARK.homeunix.com> In-Reply-To: <20040606124734.GA2687@StefanEsser.FreeBSD.org> References: <20040606124734.GA2687@StefanEsser.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 06, 2004, Stefan Eer wrote: > Any reason, that there is a difference in semantics between: > > seteuid(id) vs. setreuid(-1, id) ??? > > The tests performed on the arguments are different (assuming a > fixed arg of -1 for ruid) in that seteuid does not support the > case of (euid == cr_uid): > [...] > Is the difference between seteuid() and setreuid() deliberate ? The best rationale I can think of is that setreuid(x, geteuid()) does something useful, whereas seteuid(geteuid()) is a no-op. I think the seteuid() behavior you complain about exists for purely historical reasons. POSIX does not require seteuid(geteuid()) to succeed, but it implicitly allows it as an extension. Solaris and Linux have this extension. The trouble with tweaking the interface is that you always have to ask: what new security holes could this open up in existing software? Hao Chen points out that the failure of seteuid(geteuid()) in FreeBSD is one of many tricky issues with using the set*uid() interface portably. In my (biased) opinion, his Setuid Demystified paper, is well worth reading if you want to untangle this stuff in your mind: http://www.usenix.org/events/sec02/full_papers/chen/chen.pdf
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040607083051.GA13982>