From owner-freebsd-security  Mon Aug  4 10:56:04 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA15865
          for security-outgoing; Mon, 4 Aug 1997 10:56:04 -0700 (PDT)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA15853
          for <security@FreeBSD.ORG>; Mon, 4 Aug 1997 10:56:01 -0700 (PDT)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.5/8.6.9) id DAA05901; Tue, 5 Aug 1997 03:53:05 +1000
Date: Tue, 5 Aug 1997 03:53:05 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199708041753.DAA05901@godzilla.zeta.org.au>
To: bde@zeta.org.au, tqbf@enteract.com
Subject: Re: Proposed alternate patch for the rfork vulnerability
Cc: security@FreeBSD.ORG, sef@Kithrup.COM
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

>exeve() doesn't "turn off the sharing". Execution of an SUID program in a
>process that shares a file descriptor table causes the SUID bit not to be
>honored; this is a semantic with precedent (NOSUID, ptrace).

I would argue that ptrace is broken (but has to stay that way for
historical reasons).  It isn't very useful to lose control on exec -
if you want that then you can detach before exec.

Losing the shared descriptor table on exec is also useless.  If the
table is shared then you probably want it to continue to be shared.
This only causes security problems in the setuid case.

Bruce