Subject: Re: setreuid() and setregid()
To: None <mycroft@MIT.EDU>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
List: tech-kern
Date: 05/22/1996 06:58:28
> I find it fairly bogus that we implement these functions incorrectly.

So do I.

> I propose implementing them as specified in 4.3BSD, with three
> additional changes to enforce the 4.4BSD security model:

> 1) If we change the real ID, also change the saved ID to the same
>    thing.  This provides a `downward slope'; [...]

Essentially, it does away with the saved-ID, which is exactly what you
want for programs that use setre[ug]id, since they're designed for the
4.3 model, which doesn't _have_ a saved-ID.

> 2) Any places which compare the real and saved IDs to check whether a
>    process is still in a set-ID context (e.g. coredump()) must be
>    changed to also compare the effective ID.

Right.  And again, this sounds like exactly what you want, since in the
4.3 model, a process is set-ID iff real!=effective.

Shouldn't this be rolled up into a little function, proc_is_set_id() or

> 3) Both functions must set P_SUGID to disable ptrace(2) and procfs.

Of course.

> Does anyone object to the preceeding changes?

Not me, indeed, I wholeheartedly support them.

					der Mouse