Date: Sat, 26 May 2001 01:46:21 +1000 (EST) From: Bruce Evans <bde@zeta.org.au> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: Kris Kennaway <kris@obsecurity.org>, audit@FreeBSD.ORG Subject: Re: ping6 fixes Message-ID: <Pine.BSF.4.21.0105260123140.84787-100000@besplex.bde.org> In-Reply-To: <20010510151241.A44027@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[I'm replying publicly only to the last reply in this thread] On Thu, 10 May 2001, Ruslan Ermilov wrote: > On Thu, May 10, 2001 at 08:52:50PM +1000, Bruce Evans wrote: > > On Thu, 10 May 2001, Ruslan Ermilov wrote: > > > > > On Wed, May 09, 2001 at 08:37:40PM -0700, Kris Kennaway wrote: > > > > On Wed, May 09, 2001 at 04:20:44AM +1000, Bruce Evans wrote: > > > > > > > > > I think I now understand the purpose of seteuid() before seteuid(). > > > > > > > > Me too. Thanks, all. > > > > > > > /me still doesn't. > > > > > > As I said, this would only be meaningful if: > > > > > > 1) we follow POSIX.1-200x > > > > I'm stll not sure about this (haven't seen POSIX.any-200x...). > > > Don't you know that the drafts are available on > www.opengroup.com/austin-l ? No I do. It's actually www.opengroup.org/somewhere (www.opengroup.com is completely different). For setuid(), draft POSIX.1-200x is essentially the same as POSIX.1.1996 except it requires _POSIX_SAVED_IDS, so we don't follow it. For seteuid(), draft POSIX.1-200x seems to be essentially the same as 4.4BSD (I didn't check this carefully). I don't see how this can work right with _POSIX_SAVED_IDS. It works right in 4.4BSD, but with _POSIX_SAVED_IDS there seems to be no way to give up the saved id except for processes with "appropriate privilege". The rationale for setuid() in Draft POSIX.1-200x has a lot to say about this problem. Its solution of adding the 4.4BSD seteuid() is incomplete IMO. > > > - and - > > > > > > 2) the process doesn't have "appropriate privilege" initially, > > > i.e., it's not setuid root (not the case here). > > > > It saves you from having to know much about the current ids. (Not a > > good reason, since you really should understand the current ids in > > set*id programs. And you really should check that set*id() succeeded...) > > > But the comment in the code assumes that the current IDs are that of > root. OK. There is no problem for setuid root programs like ping* provided they give up their privilege when their euid is root. They then have "appropriate privilge", so setuid() works right. Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105260123140.84787-100000>