From owner-freebsd-security  Mon Aug  4 10:01:05 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA10909
          for security-outgoing; Mon, 4 Aug 1997 10:01:05 -0700 (PDT)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA10897
          for <security@FreeBSD.ORG>; Mon, 4 Aug 1997 10:01:01 -0700 (PDT)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.5/8.6.9) id CAA02664; Tue, 5 Aug 1997 02:58:51 +1000
Date: Tue, 5 Aug 1997 02:58:51 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199708041658.CAA02664@godzilla.zeta.org.au>
To: bde@zeta.org.au, tqbf@enteract.com
Subject: Re: Proposed alternate patch for the rfork vulnerability
Cc: security@FreeBSD.ORG, sef@Kithrup.COM
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>> I think exec should just fail if it can't honour setuid'ness.  For ptrace
>
>Why? What does this win?

Conformance with the rfork man page:

!	   RFFDG     If set, the invoker's file descriptor table (see intro(2)
!		     ) is copied; otherwise the two processes share a single
!		     table.
!...
!     File descriptors in a shared file descriptor table are kept open until
!     either they are explicitly closed or all processes sharing the table ex-
!     it.

It doesn't say that exec turns off the sharing.

Bruce