From owner-freebsd-current Sat Jul 20 0: 7:15 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CAEE37B401 for ; Sat, 20 Jul 2002 00:07:13 -0700 (PDT) Received: from harmony.village.org (rover.bsdimp.com [204.144.255.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D04343E58 for ; Sat, 20 Jul 2002 00:07:09 -0700 (PDT) (envelope-from imp@bsdimp.com) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.12.3/8.12.3) with ESMTP id g6K76x1f035307; Sat, 20 Jul 2002 01:06:59 -0600 (MDT) (envelope-from imp@bsdimp.com) Date: Sat, 20 Jul 2002 01:06:37 -0600 (MDT) Message-Id: <20020720.010637.105098846.imp@bsdimp.com> To: bde@zeta.org.au Cc: julian@vicor.com, current@FreeBSD.ORG Subject: Re: [Fwd: FreeBSD/Linux kernel setgid implementation] From: "M. Warner Losh" In-Reply-To: <20020720131426.T15254-100000@gamplex.bde.org> References: <20020720130233.Y15254-100000@gamplex.bde.org> <20020720131426.T15254-100000@gamplex.bde.org> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message: <20020720131426.T15254-100000@gamplex.bde.org> Bruce Evans writes: : On Fri, 19 Jul 2002, Julian Elischer wrote: : : > forwarded from bugtraq.. : : > Indeed, with their rigourous methodology, the authors did detect this error in the setgid linux manpage on Red Hat 7.2. I just wonder if they reported it (the manpage on www.linux.org is still inaccurate at the moment). : > This paper also reports a real example of a program with the setgid flag only, that thinks it can drop all privileges by calling setgid(getgid()). It is OK on FreeBSD, but not on Linux... : : This point will have to be revisited son, since POSIX-1.2001 requires : _POSIX_SAVED_IDS. I think the full brokenness of _POSIX_SAVED_IDS can : be avoided using a suitably weaselish definition of "appropriate" : privilege (give everyone that can do set[ug]id() appropriate privilege, : so that doing it drops the extra saved [ug]id privilege). I would ****STRONGLY**** suggest that any attempts to change the setuid semantics of FreeBSD be resisted unless the person making the change is willing to a) audit the entire tree for places where the use of setuid breaks (and to publish the results of the non-breakage cases too) and b) be the point person for the next year after this change for the SO to send port breakages too. Many eyes have looked at the setuid/seteuid instances in the tree and verified them as being as correct as we can determine. I'd really hate to see that work undone by subtle changes in the system calls. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message