Date: Thu, 20 Jul 2000 00:25:48 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Marcel Moolenaar <marcel@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/i386/linux linux_dummy.c linux_misc.c Message-ID: <Pine.NEB.3.96L.1000720001526.77319D-100000@fledge.watson.org> In-Reply-To: <200007190353.UAA71410@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcel, I have not had a chance to review these commits as I am on travel. However, it strikes me that these are security-sensitive commits, and I didn't see a reviewed-by: on the original or MFC commits. As you know, we don't have a semantic equivilent to the Linux fsuid behavior, which (without looking at the patches) strongly suggests to me that we are emulating the behavior improperly, or noop'ing it. Incorrect emulation or no-oping the call may result in an application believing it has given up privileges when it has not, or giving up privileges that it does not know that it will. As a security person who has spent a fair amount of time of late beating up on Linux people to fix their capabilities implementation due to incorrect combining of uid and capability semantics, which is a very complicated thing, I can only point out that this is something we want to be *very* careful about. The recent Linux kernel/sendmail bug is just one example of the results of not being very careful with security-sensitive calls and behaving predictably from the application perspective. Do you feel comfortable that this puts neither the kernel nor privileged userland applications at risk? I.e., do we precisely emulate their semantics and avoid introducing new security problems? If the answer to either of these questions is no, I'd like to see this backed out before the release. Thanks! On Tue, 18 Jul 2000, Marcel Moolenaar wrote: > marcel 2000/07/18 20:53:08 PDT > > Modified files: (Branch: RELENG_4) > sys/i386/linux linux_dummy.c linux_misc.c > Log: > MFC: Implement setfsuid and setfsgid. > > PR: 16993 > > Revision Changes Path > 1.21.2.1 +1 -3 src/sys/i386/linux/linux_dummy.c > 1.77.2.2 +21 -1 src/sys/i386/linux/linux_misc.c > > > Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000720001526.77319D-100000>