Date: Mon, 8 Dec 1997 02:22:27 +1100 From: Bruce Evans <bde@zeta.org.au> To: brian@awfulhak.org, evanc@synapse.net Cc: freebsd-current@FreeBSD.ORG Subject: Re: _POSIX_SAVED_IDS Message-ID: <199712071522.CAA04113@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>AFAIK, setreuid() doesn't use saved ids - setreuid() should only be >used to swap your euid and uid. Disclaimer - this is an assumption, >I may be wrong. Don't assume, read the man^H^H^Hcode. setreuid9) does use saved ids. They are BSD saved ids, not POSIX saved ids, so _POSIX_SAVED_IDS is not defined. >However, seteuid() works ok for me (/usr/src/usr.sbin/ppp/id.c), >which implies that saved uids are functional. It works OK if you want to swap ids, but not if you want to set all ids including the saved id to the same value. Use setuid() or exec to set them all. Not knowing about the saved id is dangerous because it may result in security holes in apparently secure code, e.g.: char buf[1234]; setuid(getuid()); strcpy(buf, argv[1]); With _POSIX samantics for saved ids, it is not clear when the above setuid() sets the saved id. It sets it if the process has "appropriate privileges". The behaviour is implementation defined. At least the old FreeBSD implementation defined "has appropriate privileges" as "being root". This means that the above is secure for root but not for anyone else. OTOH, this definition makes the saved ids useless for root if only POSIX interfaces are used. FreeBSD now gives everyone "appropriate privileges" for doing setuid(getegid()), so if you uncomment _POSIX_SAVED_IDS in <sys/unistd.h>, then you can set all the uids to the real uid using: seteuid(getuid()); /* euid = ruid, suid = any */ setuid(geteuid()); /* all uids = euid = original ruid */ This is very unportable. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712071522.CAA04113>