From owner-cvs-all  Thu Jul 20 12:44:14 2000
Delivered-To: cvs-all@freebsd.org
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9C9AE37C228; Thu, 20 Jul 2000 12:44:06 -0700 (PDT)
	(envelope-from green@FreeBSD.org)
Date: Thu, 20 Jul 2000 15:44:04 -0400 (EDT)
From: Brian Fundakowski Feldman <green@FreeBSD.org>
X-Sender: green@green.dyndns.org
To: Robert Watson <rwatson@FreeBSD.org>
Cc: Marcel Moolenaar <marcel@cup.hp.com>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org, security-officer@FreeBSD.org
Subject: Re: cvs commit: src/sys/i386/linux linux_dummy.c linux_misc.c
In-Reply-To: <Pine.NEB.3.96L.1000720125351.85018B-100000@fledge.watson.org>
Message-ID: <Pine.BSF.4.21.0007201534100.1758-100000@green.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 20 Jul 2000, Robert Watson wrote:

> (3) For that behavior is not the same, how can we provide that information
> to the application, or prevent a problem.  This is an important case,
> because this is where the sendmail bug occurred on Linux.  In Linux, the
> setuid() call is now permitted to fail even if the effective uid is zero.
> In a few months, the same will be true of FreeBSD.  However, the sendmail
> application assumed that setuid() would always succeed, and so didn't
> check the error return.  Do linux applications check the return for, say,
> setfsuid()?  Right now, is our behavior to kill the application?  That's
> certainly fail-safe, although not fail-happy.

I could only say that I don't think that allowing privilege-dropping
setuid() calls to fail isn't one of the worst ideas ever iff in /every/
case that setuid() et al fail to drop privileges, the application got
a uprintf(9) to show this, log(9) was called to record it, and the
system call performed a psignal(p, SIGKILL).  There is absolutely no
reason that traditional applications should be _able_ to be made more
INsecure via capabilities.  If a standard says we should not allow an
application to drop privileges, we should either
	a) Don't follow that standard.
	b) Allow it to fail securely: kill the process immediately.

Needless to say, it should act exactly the same for the equivalent
Linux calls.  We have an obligation to security much more than we
have an obligation to act exactly like Linux, even in the Linux
binary activator.

>   Robert N M Watson 
> 
> robert@fledge.watson.org              http://www.watson.org/~robert/
> PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
> TIS Labs at Network Associates, Safeport Network Services

--
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message