> My reading of the NetBSD kernel code is that (at least for sockets)
> no authorisation checking of the value of the third argument to
> `fcntl(.., F_SETOWN, ..)' is performed, and that no checking is done
> when `so_pgid' is used for dispatching `SIG{IO,SIG}'.

Not just sockets; I recall noticing something very similar elsewhere.

> If this is not a feature, I feel that it would be better to reject
> any attempt by a non-root caller to set `so_pgid' to the process id
> of a process in a different session from the caller or to the
> negative of the process group id of a process group in a different
> session from the caller.

I see no reason to restrict it to the session; setting it to any
process or group that the setting process could send a signal to should
be allowed.  In particular, a process with the same UID but in another
session....

Note that there is yet another danger: the process ID may be allowable
at the time it is set but not at the time the signal is sent.  To deal
with this, you'd have to save a copy of the credentials as of the time
of the set and then verify the legality when it's time to send.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu