From owner-freebsd-hackers@FreeBSD.ORG Mon Jun 7 22:10:34 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1249716A4CE for ; Mon, 7 Jun 2004 22:10:34 +0000 (GMT) Received: from VARK.homeunix.com (ar59.lsanca2-4.27.98.47.lsanca2.dsl-verizon.net [4.27.98.47]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB61843D5C for ; Mon, 7 Jun 2004 22:10:33 +0000 (GMT) (envelope-from das@FreeBSD.ORG) Received: from VARK.homeunix.com (localhost [127.0.0.1]) by VARK.homeunix.com (8.12.11/8.12.10) with ESMTP id i578UppN014083; Mon, 7 Jun 2004 01:30:51 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Received: (from das@localhost) by VARK.homeunix.com (8.12.11/8.12.10/Submit) id i578Up7J014082; Mon, 7 Jun 2004 01:30:51 -0700 (PDT) (envelope-from das@FreeBSD.ORG) Date: Mon, 7 Jun 2004 01:30:51 -0700 From: David Schultz To: "Stefan =?us-ascii:iso-8859-1?Q?E=DFer?=" , hackers@FreeBSD.ORG Message-ID: <20040607083051.GA13982@VARK.homeunix.com> Mail-Followup-To: "Stefan =?us-ascii:iso-8859-1?Q?E=DFer?=" , hackers@freebsd.org References: <20040606124734.GA2687@StefanEsser.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040606124734.GA2687@StefanEsser.FreeBSD.org> Subject: Re: Semantics of "seteuid(uid)" vs. "setreuid(-1,uid)" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Jun 2004 22:10:34 -0000 On Sun, Jun 06, 2004, Stefan Eer wrote: > Any reason, that there is a difference in semantics between: > > seteuid(id) vs. setreuid(-1, id) ??? > > The tests performed on the arguments are different (assuming a > fixed arg of -1 for ruid) in that seteuid does not support the > case of (euid == cr_uid): > [...] > Is the difference between seteuid() and setreuid() deliberate ? The best rationale I can think of is that setreuid(x, geteuid()) does something useful, whereas seteuid(geteuid()) is a no-op. I think the seteuid() behavior you complain about exists for purely historical reasons. POSIX does not require seteuid(geteuid()) to succeed, but it implicitly allows it as an extension. Solaris and Linux have this extension. The trouble with tweaking the interface is that you always have to ask: what new security holes could this open up in existing software? Hao Chen points out that the failure of seteuid(geteuid()) in FreeBSD is one of many tricky issues with using the set*uid() interface portably. In my (biased) opinion, his Setuid Demystified paper, is well worth reading if you want to untangle this stuff in your mind: http://www.usenix.org/events/sec02/full_papers/chen/chen.pdf