From owner-freebsd-audit  Tue May  8 11:22:30 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by hub.freebsd.org (Postfix) with ESMTP
	id D510037B507; Tue,  8 May 2001 11:22:21 -0700 (PDT)
	(envelope-from bde@zeta.org.au)
Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102])
	by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id EAA05606;
	Wed, 9 May 2001 04:22:14 +1000
Date: Wed, 9 May 2001 04:20:44 +1000 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-Sender: bde@besplex.bde.org
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: Kris Kennaway <kris@obsecurity.org>, audit@FreeBSD.ORG
Subject: Re: ping6 fixes
In-Reply-To: <20010508152816.A58026@sunbay.com>
Message-ID: <Pine.BSF.4.21.0105090401450.12449-100000@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 8 May 2001, Ruslan Ermilov wrote:

> On Tue, May 08, 2001 at 04:03:48AM -0700, Kris Kennaway wrote:
> [...]
> > +
> > +	/* revoke root privilege */
> > +	seteuid(getuid());
> > +	setuid(getuid());
> >  
> >  /*
> >  	optval = 1;
> 
> I still think seteuid() here is superfluous, but see below.
> 
> I've just checked that OpenBSD's setuid() behaves differently,
> as mandated by recent POSIX specs.  The differences are as
> follows:

This doesn't seem to be anything recent.  I'll check again tomorrow
when I'm awake.  Does POSIX now mandate _BROKEN^W_POSIX_SAVED_IDS?

> ...
> 
> Under OpenBSD, the attached program succeeds:

None was attached :-).

> seteuid() to the fake (12345) UID
> setuid() to the real (1010) UID
> seteuid() back to the saved (0) UID
> 
> Under FreeBSD, it fails with:
> 
> seteuid() to the fake (12345) UID
> setuid() to the real (1001) UID
> seteuid() back to the saved (0) UID
> setuid: seteuid: Operation not permitted

I think I now understand the purpose of seteuid() before seteuid().
It is to set the euid to a value such that the process has "appropriate
privilege" for setuid() to set all the ids.  "Appropriate privilege"
is implementation-defined and context-dependent.  FreeBSD defines it
such that everyone has it for the context of setuid() to their real
uid, so setuid(getuid()) always works "right".  IIRC, this is mainly
so that setuid(getuid()) can work at all (when ruid != euid) in the
!_POSIX_SAVE_IDS case.  When it works, it works "right" -- it must
set the euid, and it should set any (non-POSIX) saved ids so that it
works the same as on systems without any saved ids.  I think this is
all POSIX.1-199[0-6] conformant.  BSD4.4-style saved ids can be viewed
as things that control "appropriate privilege".

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message