Subject: Re: setreuid() and setregid()
To: None <mycroft@MIT.EDU>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
Date: 05/22/1996 06:58:28
> I find it fairly bogus that we implement these functions incorrectly.
So do I.
> I propose implementing them as specified in 4.3BSD, with three
> additional changes to enforce the 4.4BSD security model:
> 1) If we change the real ID, also change the saved ID to the same
> thing. This provides a `downward slope'; [...]
Essentially, it does away with the saved-ID, which is exactly what you
want for programs that use setre[ug]id, since they're designed for the
4.3 model, which doesn't _have_ a saved-ID.
> 2) Any places which compare the real and saved IDs to check whether a
> process is still in a set-ID context (e.g. coredump()) must be
> changed to also compare the effective ID.
Right. And again, this sounds like exactly what you want, since in the
4.3 model, a process is set-ID iff real!=effective.
Shouldn't this be rolled up into a little function, proc_is_set_id() or
> 3) Both functions must set P_SUGID to disable ptrace(2) and procfs.
> Does anyone object to the preceeding changes?
Not me, indeed, I wholeheartedly support them.