From owner-freebsd-security  Tue Nov 14 06:35:56 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id GAA03116
          for security-outgoing; Tue, 14 Nov 1995 06:35:56 -0800
Received: from Root.COM (implode.Root.COM [198.145.90.17])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id GAA03088
          ; Tue, 14 Nov 1995 06:35:38 -0800
Received: from corbin.Root.COM (corbin [198.145.90.50]) by Root.COM (8.6.12/8.6.5) with ESMTP id GAA28581; Tue, 14 Nov 1995 06:35:37 -0800
Received: from localhost (localhost [127.0.0.1]) by corbin.Root.COM (8.6.12/8.6.5) with SMTP id GAA00395; Tue, 14 Nov 1995 06:34:44 -0800
Message-Id: <199511141434.GAA00395@corbin.Root.COM>
To: Peter Wemm <peter@jhome.dialix.com>
cc: ache@astral.msk.su, committers@freebsd.org, security@freebsd.org
Subject: Re: cvs commit: CVSROOT log_accum.pl 
In-reply-to: Your message of "Tue, 14 Nov 95 22:21:56 +0800."
             <Pine.BSF.3.91.951114220712.4688H-100000@jhome.DIALix.COM> 
From: David Greenman <davidg@Root.COM>
Reply-To: davidg@Root.COM
Date: Tue, 14 Nov 1995 06:34:35 -0800
Sender: owner-security@freebsd.org
Precedence: bulk

>I still think we should move the login name to the "struct ucred" - then 
>the possibility of the entire session being accidently changed would no 
>longer be an issue.  struct ucred is normally 76 bytes long now. Another 
>12 bytes wouldn't hurt all that much... (especially since another 
>transient data structure would shrink as a result to partly offset the cost).

   I think it needs to stay as part of the process group struct. It doesn't
any sense from an architectural perspective to put it in the cred struct.

>IMHO, having a child process being able to modify the parent's 
>environment goes against the unix religion^H^H^H^H^H^H^Hphilosophy of 
>inherited privilege.

   Which is why we should restrict it to the session leader.

-DG