From owner-freebsd-security Sat Apr 29 07:47:46 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id HAA27179 for security-outgoing; Sat, 29 Apr 1995 07:47:46 -0700 Received: from sequent.kiae.su (sequent.kiae.su [144.206.136.6]) by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id HAA27169 for ; Sat, 29 Apr 1995 07:47:40 -0700 Received: by sequent.kiae.su id AA27114 (5.65.kiae-2 ); Sat, 29 Apr 1995 18:44:41 +0400 Received: by sequent.KIAE.su (UUMAIL/2.0); Sat, 29 Apr 95 18:44:41 +0400 Received: (from ache@localhost) by astral.msk.su (8.6.8/8.6.6) id SAA01695; Sat, 29 Apr 1995 18:40:12 +0400 To: Bruce Evans Cc: security@FreeBSD.org, "Garrett A. Wollman" References: <199504291339.XAA25148@godzilla.zeta.org.au> In-Reply-To: <199504291339.XAA25148@godzilla.zeta.org.au>; from Bruce Evans at Sat, 29 Apr 1995 23:39:09 +1000 Message-Id: Organization: Olahm Ha-Yetzirah Date: Sat, 29 Apr 1995 18:40:12 +0400 X-Mailer: Mail/@ [v2.32 FreeBSD] From: "Andrey A. Chernov, Black Mage" X-Class: Fast Subject: Re: Call for remove setr[ug]id() and setre[ug]id() from libc Lines: 53 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 2319 Sender: security-owner@FreeBSD.org Precedence: bulk In message <199504291339.XAA25148@godzilla.zeta.org.au> Bruce Evans writes: >>0) Now we have _all_ set*[gu]id() functions in the same way like SunOS >>(SunOS is de-facto standard, most of Unix pgms expects its way). >>SunOS have true POSIX SAVED_IDS setuid()/setgid() and BSD4.2-like >>setre*(). Moreover, now we compatible with Linux setuid()/setgid(), >>they have POSIX SAVED_IDS too. I think current scheme is the best >>way which is possible. >I think the best possible is: >a) seteuid(euid) == setreuid(-1, euid) (deprecated like setreuid()) Dislike. seteuid() is introduced to help root to avoid setuid() POSIX restrictions. CSRG 4.4 have POSIX_SAVED_IDS root setuid() case (surprise). See seteuid comment into sys/sys/unistd.h >>1) seteuid() does not change svuid according to SunOS. >>From common sense it allows root to keep svuid untouched, >What does it do in Linux? I deleted my Linux sources, and the man >pages here are of a much lower quality than FreeBSD's :-). I can't found sete[ug]id() syscalls into Linux. It can be my fault or intentional thing, because POSIX_SAVED_IDS setuid() cover seteuid() case for non-roots. >>3) I don't see sec hole you point: > root: euid=0 ruid=0 svuid=any; exec setuid program to become > man: euid=9 ruid=0 svuid=0; setuid(9) to become > man: euid=9 ruid=0 svuid=0 >The setuid() is being done by an old program that isn't aware of POSIX >semantics. It expects to end up as ruid=9 but doesn't. Note that the >set[r]euid() semantics and the final value of svuid aren't important >here. Please, describe it more detaily: what started, which function called with what args exactly, etc. BTW, It is clear that POSIX setuid() works not the same way as non-POSIX :-) I.e. non-POSIX return -1 when POSIX can be successful. But as we claim ourselvs as POSIX-compatible, we must follow POSIX and converts pgms which conflict with it (as we already do with terminal driver f.e.). Lucky, looking through our sourses right now I don't find any pgms which conflicts. -- Andrey A. Chernov : And I rest so composedly, /Now, in my bed, ache@astral.msk.su : That any beholder /Might fancy me dead - FidoNet: 2:5020/230.3 : Might start at beholding me, /Thinking me dead. RELCOM Team,FreeBSD Team : E.A.Poe From "For Annie" 1849