Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Dec 2001 15:41:47 -0500 (EST)
From:      Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To:        Bruce Evans <bde@zeta.org.au>
Cc:        <freebsd-audit@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
Subject:   Re: setuid() POSIX compliance
Message-ID:  <200112122041.fBCKflY68302@khavrinen.lcs.mit.edu>
In-Reply-To: <20011212211356.L34562-100000@gamplex.bde.org>
References:  <3C15B736.7080605@uclink.berkeley.edu> <20011212211356.L34562-100000@gamplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

<<On Wed, 12 Dec 2001 22:01:42 +1100 (EST), Bruce Evans <bde@zeta.org.au> said:

> change one of their ids using setuid() is considered to have
> "appropriate privilege".

``Appropriate privilege'', in the POSIX sense, can be any arbitrarily
complex predicate.  I.e., ``the process belongs to a user whose
supplementary group list contains exactly three groups, the person
sitting at the console is carrying an umbrella, and the moon is waxing
gibbous'' is a valid definition of ``appropriate privilege''.

A valid implementation of setuid() (ignoring syscall calling
convention issues) could be:

int
setuid(uid_t uid)
{
	/* ... */
	/*
	 * Appropriate privilege is defined as:
	 * 1) The process belongs to the super-user, or
	 * 2) The process has the CAP_CHANGE_UID capability, or
	 * 3) The process already has that uid.
	 *
	 * This definition trumps the second clause (1003.1-2001,
	 * ll. 41136ff) by considering all processes it would otherwise
	 * apply to privileged.
	 */
	if (uid == cred->cr_uid || uid == cred->cr_euid ||
	    uid == cred->cr_svuid ||
	    has_capability(cred, CAP_CHANGE_UID) ||
	    suser_cred(cred)) {
		cred = crcopy(cred);
		assert(cred && cred->cr_refcnt == 1);
		cred->cr_uid = cred->cr_euid = cred->cr_svuid = uid;
		install_process_credential(cred);
		retval = 0;
	} else {
		errno = EPERM;
		retval = -1;
	}
	return (retval);
}

This implementation is valid regardless of whether _POSIX_SAVED_IDS is
defined -- hence the problems which are detailed in the 1003.1-2001
rationale for setuid().

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112122041.fBCKflY68302>