Date: Thu, 20 Jul 2000 15:44:04 -0400 (EDT) From: Brian Fundakowski Feldman <green@FreeBSD.org> To: Robert Watson <rwatson@FreeBSD.org> Cc: Marcel Moolenaar <marcel@cup.hp.com>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/i386/linux linux_dummy.c linux_misc.c Message-ID: <Pine.BSF.4.21.0007201534100.1758-100000@green.dyndns.org> In-Reply-To: <Pine.NEB.3.96L.1000720125351.85018B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Jul 2000, Robert Watson wrote: > (3) For that behavior is not the same, how can we provide that information > to the application, or prevent a problem. This is an important case, > because this is where the sendmail bug occurred on Linux. In Linux, the > setuid() call is now permitted to fail even if the effective uid is zero. > In a few months, the same will be true of FreeBSD. However, the sendmail > application assumed that setuid() would always succeed, and so didn't > check the error return. Do linux applications check the return for, say, > setfsuid()? Right now, is our behavior to kill the application? That's > certainly fail-safe, although not fail-happy. I could only say that I don't think that allowing privilege-dropping setuid() calls to fail isn't one of the worst ideas ever iff in /every/ case that setuid() et al fail to drop privileges, the application got a uprintf(9) to show this, log(9) was called to record it, and the system call performed a psignal(p, SIGKILL). There is absolutely no reason that traditional applications should be _able_ to be made more INsecure via capabilities. If a standard says we should not allow an application to drop privileges, we should either a) Don't follow that standard. b) Allow it to fail securely: kill the process immediately. Needless to say, it should act exactly the same for the equivalent Linux calls. We have an obligation to security much more than we have an obligation to act exactly like Linux, even in the Linux binary activator. > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007201534100.1758-100000>