Subject: Re: setreuid semantics changed
To: Chris G. Demetriou <cgd@postgres.Berkeley.EDU>
From: None <>
List: current-users
Date: 04/08/1994 15:26:28
> There can be serious problems any time setreuid() or setruid()
> is used -- most of the rdist security holes, for instance, were
> caused by it.

Okay, I see the problem.  So why not do the same thing you did for
gets()?  Print a warning message the first time it's used, but
maintain the old functionality, at least for a while.  That would give
us all time to port things over.  As it stands we have to deal with
several broken programs, some of which we may not even know about yet.

I understand and agree with your policy to eliminate old, buggy
functionality.  But I feel you should at least provide a "grace
period" to give us a chance to keep up.  If you were to provide the
warning messages for one month before eliminating the functionality,
I'd be happy.

Email:           | Brown University
PGP Key: finger       | Dept of Computer Science