Date: Fri, 13 Dec 1996 21:08:04 +1100 From: Bruce Evans <bde@zeta.org.au> To: adam@veda.is, freebsd-current@freebsd.org Subject: Re: setgid() semantics Message-ID: <199612131008.VAA28452@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>It is apparently no longer possible to use setgid() to switch between real >and effective gids. Can someone please confirm this change to be intentional, >or help identify the problem. (found by elm) It was intentional to stop setuid() and setgid() switching ids as non-root. They never worked to switch ids as root. The switching version broke the BSD4.4Lite security model and programs that depended on it often didn't know enough about saved ids to be secure. >Looks probable that this was among the recent Posix conformance changes. This was a security change. Both behaviours are POSIX conformant. Gids can be switched securely using the following models: BSD4.4Lite: Use setegid() to switch between the real gid and the saved gid. (The saved gid is initially the effective gid.) Use setgid() to set all the ids to the same value. Do not use setrgid() or setregid(). These functions are just wrappers around setegid(). They never change the saved gid, and have other problems. FreeBSD-current: Use setregid() to switch gids as usual. Use setregid(uid, uid) or or setgid(uid) to set all the ids to the same value. You can also use the BSD4.4Lite model, but this is probably less portable. POSIX, as implemented in FreeBSD: If _POSIX_SAVED_IDS is not defined, you lose. If _POSIX_SAVED_IDS is defined: If the effective uid is root, you lose (you can switch to another id, but there is no way back). Otherwise, you can switch gids using setgid(). You can't drop the saved gid without execing. POSIX, with "appropriate privilege" meaning something different from being root: If _POSIX_SAVED_IDS is not defined: "appropriate privilege" can probably involve hidden state to allow switching between previously acceptable ids. It isn't clear how this state could be dropped. If _POSIX_SAVED_IDS defined: Same as if it is defined, except it is guaranteed that you can't drop the saved gid :-]. FreeBSD-previous: Use setregid() as in -current. Do not use the full BSD4.4Lite model as non-root, since setgid() does not drop the saved id. As non-root, you can also use setgid() to switch gids, but setregid() must be used to set all the gids to the same value. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612131008.VAA28452>