From owner-freebsd-current  Sun Dec  7 07:25:33 1997
Return-Path: <owner-freebsd-current>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id HAA03255
          for current-outgoing; Sun, 7 Dec 1997 07:25:33 -0800 (PST)
          (envelope-from owner-freebsd-current)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA03249
          for <freebsd-current@FreeBSD.ORG>; Sun, 7 Dec 1997 07:25:25 -0800 (PST)
          (envelope-from bde@zeta.org.au)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.7/8.6.9) id CAA04113; Mon, 8 Dec 1997 02:22:27 +1100
Date: Mon, 8 Dec 1997 02:22:27 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199712071522.CAA04113@godzilla.zeta.org.au>
To: brian@awfulhak.org, evanc@synapse.net
Subject: Re: _POSIX_SAVED_IDS
Cc: freebsd-current@FreeBSD.ORG
Sender: owner-freebsd-current@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>AFAIK, setreuid() doesn't use saved ids - setreuid() should only be 
>used to swap your euid and uid.  Disclaimer - this is an assumption, 
>I may be wrong.

Don't assume, read the man^H^H^Hcode.  setreuid9) does use saved ids.
They are BSD saved ids, not POSIX saved ids, so _POSIX_SAVED_IDS is
not defined.

>However, seteuid() works ok for me (/usr/src/usr.sbin/ppp/id.c), 
>which implies that saved uids are functional.

It works OK if you want to swap ids, but not if you want to set all ids
including the saved id to the same value.  Use setuid() or exec to set
them all.  Not knowing about the saved id is dangerous because it may
result in security holes in apparently secure code, e.g.:

	char buf[1234];
	setuid(getuid());
	strcpy(buf, argv[1]);

With _POSIX samantics for saved ids, it is not clear when the above
setuid() sets the saved id.  It sets it if the process has "appropriate
privileges".  The behaviour is implementation defined.  At least the
old FreeBSD implementation defined "has appropriate privileges" as
"being root".  This means that the above is secure for root but not
for anyone else.  OTOH, this definition makes the saved ids useless for
root if only POSIX interfaces are used.

FreeBSD now gives everyone "appropriate privileges" for doing
setuid(getegid()), so if you uncomment _POSIX_SAVED_IDS in <sys/unistd.h>,
then you can set all the uids to the real uid using:

	seteuid(getuid());	/* euid = ruid, suid = any */
	setuid(geteuid());	/* all uids = euid = original ruid */

This is very unportable.

Bruce