From owner-freebsd-current Sun Jul 21 22: 5:22 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87DE037B400 for ; Sun, 21 Jul 2002 22:05:20 -0700 (PDT) Received: from HAL9000.homeunix.com (12-233-156-170.client.attbi.com [12.233.156.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4766A43E6A for ; Sun, 21 Jul 2002 22:05:19 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.3/8.12.3) with ESMTP id g6M55Ywe001205; Sun, 21 Jul 2002 22:05:39 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.3/8.12.3/Submit) id g6M55V7p001204; Sun, 21 Jul 2002 22:05:31 -0700 (PDT) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Sun, 21 Jul 2002 22:05:30 -0700 From: David Schultz To: "M. Warner Losh" Cc: bde@zeta.org.au, julian@vicor.com, current@FreeBSD.ORG Subject: Re: [Fwd: FreeBSD/Linux kernel setgid implementation] Message-ID: <20020722050530.GA1068@HAL9000.homeunix.com> Mail-Followup-To: "M. Warner Losh" , bde@zeta.org.au, julian@vicor.com, current@FreeBSD.ORG References: <20020720130233.Y15254-100000@gamplex.bde.org> <20020720131426.T15254-100000@gamplex.bde.org> <20020720.010637.105098846.imp@bsdimp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020720.010637.105098846.imp@bsdimp.com> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thus spake M. Warner Losh : > I would ****STRONGLY**** suggest that any attempts to change the > setuid semantics of FreeBSD be resisted unless the person making the > change is willing to a) audit the entire tree for places where the use > of setuid breaks (and to publish the results of the non-breakage cases > too) and b) be the point person for the next year after this change > for the SO to send port breakages too. > > Many eyes have looked at the setuid/seteuid instances in the tree and > verified them as being as correct as we can determine. I'd really > hate to see that work undone by subtle changes in the system calls. Interestingly, the paper grew out of a larger project to develop an automated tool to verify temporal safety properties. The tool is written and it has yielded promising results, although it presently lacks a front end to drive all the parts and an extensive database of formalized security properties. I'm working on the former deficiency right now. The old hard-to-drive version is available at http://www.cs.berkeley.edu/~daw/mops/ . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message