From owner-freebsd-security  Wed Feb  5 13:43:04 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA14153
          for security-outgoing; Wed, 5 Feb 1997 13:43:04 -0800 (PST)
Received: from Mailbox.mcs.com (Mailbox.mcs.com [192.160.127.87])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA14148
          for <freebsd-security@freebsd.org>; Wed, 5 Feb 1997 13:42:58 -0800 (PST)
Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Mailbox.mcs.com (8.8.5/8.8.2) with ESMTP id PAA13136; Wed, 5 Feb 1997 15:42:56 -0600 (CST)
Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.5/8.8.2) id PAA15082; Wed, 5 Feb 1997 15:42:56 -0600 (CST)
From: Karl Denninger  <karl@Mcs.Net>
Message-Id: <199702052142.PAA15082@Jupiter.Mcs.Net>
Subject: Re: While we're on the subject...
To: tqbf@enteract.com
Date: Wed, 5 Feb 1997 15:42:56 -0600 (CST)
Cc: freebsd-security@freebsd.org
In-Reply-To: <199702052042.OAA27560@enteract.com> from "Thomas H. Ptacek" at Feb 5, 97 02:42:07 pm
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> 
> OpenBSD has the locale issue resolved reliably already.
> 
> OpenBSD supports issetugid().
> 
> Thus, I can tell, even when I'm deep in libc, if I was called from an SUID
> program. I can do that because execve() flipped a bit in my proc structure
> when it noticed that I was SUID.
> 
> This is a good thing. 
> 
> Meaningless UID checks probably aren't. Anything could have happened to my
> creds, depending on the programmer calling the library, and I have no way
> of determining what happened. 
> 
> What's holding FreeBSD up on supporting issetugid()? 
> 
> ----------------
> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
> ----------------
> "I'm standing alone, I'm watching you all, I'm seeing you sinking."

If euid != uid, then you're running SUID *NOW*.
If euid = 0, then you're running as root *NOW*.

Why does it matter what you might have been sometime before?  The issue is
what you are running as at the time the call is made, no?

--
-- 
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | 99 Analog numbers, 77 ISDN, Web servers $75/mo
Voice: [+1 312 803-MCS1 x219]| Email to "info@mcs.net" WWW: http://www.mcs.net/
Fax:   [+1 773 248-9865]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal