Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Mar 1997 16:28:41 +0300 (MSK)
From:      =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.ru>
To:        Warner Losh <imp@freefall.freebsd.org>
Cc:        CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-lib@freefall.freebsd.org
Subject:   Re: cvs commit:  src/lib/libc/stdtime localtime.c
Message-ID:  <Pine.BSF.3.95q.970324162624.660E-100000@nagual.ru>
In-Reply-To: <199703240609.WAA00671@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Mar 1997, Warner Losh wrote:

> imp         97/03/23 22:09:53
> 
>   Modified:    lib/libc/stdtime  localtime.c
>   Log:
>   Don't open the tz file if we're running setuid or setgid to prevent infomration
>   leakage.

You can't determine setuid without issetuid() syscall implementing, so
this change gives only false sense of security. Priveledges can be
dropped before the moment you check them using getuid()/geteuid() and
restored back to suid after your check, so your check gains nothing.

-- 
Andrey A. Chernov
<ache@null.net>
http://www.nagual.ru/~ache/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970324162624.660E-100000>