From owner-freebsd-security  Wed Feb 19 06:26:31 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id GAA25166
          for security-outgoing; Wed, 19 Feb 1997 06:26:31 -0800 (PST)
Received: from root.com (implode.root.com [198.145.90.17])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA25161
          for <security@freebsd.org>; Wed, 19 Feb 1997 06:26:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by root.com (8.8.5/8.6.5) with SMTP id GAA12408; Wed, 19 Feb 1997 06:24:57 -0800 (PST)
Message-Id: <199702191424.GAA12408@root.com>
X-Authentication-Warning: implode.root.com: localhost [127.0.0.1] didn't use HELO protocol
To: Andrew Kosyakov <caseq@magrathea.chance.ru>, rbezuide@oskar.nanoteq.co.za,
        jas@flyingfox.COM, security@freebsd.org
Subject: Re: Coredumps and setuids .. interesting.. 
In-reply-to: Your message of "Wed, 19 Feb 1997 05:37:20 PST."
             <199702191337.FAA12198@root.com> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Wed, 19 Feb 1997 06:24:57 -0800
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>>Why, it would be unwise of it to close data base before dropping root 
>>privileges (and in this case it will be impossible at all), and I won't be 
>>able to send any signal to it unless it drops privileges. The case when it
>
>   A process running with set*id privileges doesn't mean that it can't receive
>signals while it has them effective. In fact it can, the only requirement is
>that the real uid of the process and the uid of the process sending the
>signal be the same, and they will be in either case.

   A correction...the signal sender need only match *either* the real or
effective uid of the signal receiver. From the manual page:

     For a process to have permission to send a signal to a process designated
     by pid, the real or effective user ID of the receiving process must match
     that of the sending process or the user must have appropriate privileges
     (such as given by a set-user-ID program or the user is the super-user).
     A single exception is the signal SIGCONT, which may always be sent to any
     descendant of the current process.

   I actually didn't know it was this open until I read the manual page. I
believe this behavior is required by POSIX, so it's not likely something
that we would want to change.


-DG

David Greenman
Core-team/Principal Architect, The FreeBSD Project