From owner-cvs-lib Mon Mar 24 06:07:41 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA09111 for cvs-lib-outgoing; Mon, 24 Mar 1997 06:07:41 -0800 (PST) Received: from sovcom.kiae.su (sovcom.kiae.su [193.125.152.1]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id GAA09089; Mon, 24 Mar 1997 06:07:27 -0800 (PST) Received: by sovcom.kiae.su id AA25974 (5.65.kiae-1 ); Mon, 24 Mar 1997 16:29:00 +0300 Received: by sovcom.KIAE.su (UUMAIL/2.0); Mon, 24 Mar 97 16:28:59 +0300 Received: (from ache@localhost) by nagual.ru (8.8.5/8.8.5) id QAA00700; Mon, 24 Mar 1997 16:28:42 +0300 (MSK) Date: Mon, 24 Mar 1997 16:28:41 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= To: Warner Losh Cc: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-lib@freefall.freebsd.org Subject: Re: cvs commit: src/lib/libc/stdtime localtime.c In-Reply-To: <199703240609.WAA00671@freefall.freebsd.org> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-lib@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Mar 1997, Warner Losh wrote: > imp 97/03/23 22:09:53 > > Modified: lib/libc/stdtime localtime.c > Log: > Don't open the tz file if we're running setuid or setgid to prevent infomration > leakage. You can't determine setuid without issetuid() syscall implementing, so this change gives only false sense of security. Priveledges can be dropped before the moment you check them using getuid()/geteuid() and restored back to suid after your check, so your check gains nothing. -- Andrey A. Chernov http://www.nagual.ru/~ache/