Date: Mon, 24 Mar 1997 16:28:41 +0300 (MSK) From: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.ru> To: Warner Losh <imp@freefall.freebsd.org> Cc: CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-lib@freefall.freebsd.org Subject: Re: cvs commit: src/lib/libc/stdtime localtime.c Message-ID: <Pine.BSF.3.95q.970324162624.660E-100000@nagual.ru> In-Reply-To: <199703240609.WAA00671@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Mar 1997, Warner Losh wrote: > imp 97/03/23 22:09:53 > > Modified: lib/libc/stdtime localtime.c > Log: > Don't open the tz file if we're running setuid or setgid to prevent infomration > leakage. You can't determine setuid without issetuid() syscall implementing, so this change gives only false sense of security. Priveledges can be dropped before the moment you check them using getuid()/geteuid() and restored back to suid after your check, so your check gains nothing. -- Andrey A. Chernov <ache@null.net> http://www.nagual.ru/~ache/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970324162624.660E-100000>