Date: Mon, 24 Apr 95 10:11:16 WET DST From: erandall@muffit.reo.dec.com (Ed Randall) To: wollman@halloran-eldar.lcs.mit.edu (Garrett Wollman) Cc: freebsd-security@FreeBSD.org Subject: Re: Call for remove setr[ug]id() and setre[ug]id() from libc Message-ID: <9504240911.AA09374@muffit.reo.dec.com> In-Reply-To: <9504211549.AA06954@halloran-eldar.lcs.mit.edu>; from "Garrett Wollman" at Apr 21, 95 11:49 am
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Garrett, Garrett Wollman writes: > > <<On Fri, 21 Apr 95 8:46:57 WET DST, erandall@muffit.reo.dec.com (Ed Randall) said: > > > Wouldn't it be better to FIX these functions to match the POSIX standard, and > > patch up the security holes ? > > The POSIX standard specifies set[ug]id() AND NOTHING ELSE. Do you > really want strict POSIX behavior? > > I didn't think so... Sorry, I stand corrected; I'm not an expert on POSIX, and I don't even own a copy of it. But I got the impression that we had a load of stuff here that was about to be chopped without consideration for actually fixing it first, with unknown repercussions ... I'm all for standards compliance, it makes portability SO much easier. And while I'm about it, hats off to HP for being the only major UNIX that actually states in its manual pages, exactly what standard their API conforms to; I wish everyone else would do it. But no, I don't think that "legacy" functions that are outside of a standard should be removed for that reason alone; If they are broken in some way, they should be fixed; If they are broken so badly that for example the mere _specification_ of them is a security hole, then yes, there is a case for removing them, and fixing any applications that make use of them, to do it the "proper" way. The manual pages should state exactly what standards they conform to, if any, and whether or not they are obsolete and may not be supported in future releases. What are your views on the subject ? BTW, do you happen to know if there is a URL where I can get access to the full POSIX spec ? Regards, Ed ---- ---------------------------------------------------------------------- Ed Randall Digital Equipment Co.Ltd., Worton Grange, Reading DECnet : RDGENG::RANDALL Internal phone : 7-830-4712 Internet : erandall@muffit.reo.dec.com Telephone: (01734) 204712 ---------------------------------------------------------------------- Speaking for myself, not for Digital or anybody else.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9504240911.AA09374>