From owner-cvs-all Wed Jul 19 21:25:55 2000 Delivered-To: cvs-all@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 92ED537B684; Wed, 19 Jul 2000 21:25:49 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id AAA77688; Thu, 20 Jul 2000 00:25:48 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 20 Jul 2000 00:25:48 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Marcel Moolenaar Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/i386/linux linux_dummy.c linux_misc.c In-Reply-To: <200007190353.UAA71410@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Marcel, I have not had a chance to review these commits as I am on travel. However, it strikes me that these are security-sensitive commits, and I didn't see a reviewed-by: on the original or MFC commits. As you know, we don't have a semantic equivilent to the Linux fsuid behavior, which (without looking at the patches) strongly suggests to me that we are emulating the behavior improperly, or noop'ing it. Incorrect emulation or no-oping the call may result in an application believing it has given up privileges when it has not, or giving up privileges that it does not know that it will. As a security person who has spent a fair amount of time of late beating up on Linux people to fix their capabilities implementation due to incorrect combining of uid and capability semantics, which is a very complicated thing, I can only point out that this is something we want to be *very* careful about. The recent Linux kernel/sendmail bug is just one example of the results of not being very careful with security-sensitive calls and behaving predictably from the application perspective. Do you feel comfortable that this puts neither the kernel nor privileged userland applications at risk? I.e., do we precisely emulate their semantics and avoid introducing new security problems? If the answer to either of these questions is no, I'd like to see this backed out before the release. Thanks! On Tue, 18 Jul 2000, Marcel Moolenaar wrote: > marcel 2000/07/18 20:53:08 PDT > > Modified files: (Branch: RELENG_4) > sys/i386/linux linux_dummy.c linux_misc.c > Log: > MFC: Implement setfsuid and setfsgid. > > PR: 16993 > > Revision Changes Path > 1.21.2.1 +1 -3 src/sys/i386/linux/linux_dummy.c > 1.77.2.2 +21 -1 src/sys/i386/linux/linux_misc.c > > > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message