> I find it fairly bogus that we implement these functions incorrectly.

So do I.

> I propose implementing them as specified in 4.3BSD, with three
> additional changes to enforce the 4.4BSD security model:

> 1) If we change the real ID, also change the saved ID to the same
>    thing.  This provides a `downward slope'; [...]

Essentially, it does away with the saved-ID, which is exactly what you
want for programs that use setre[ug]id, since they're designed for the
4.3 model, which doesn't _have_ a saved-ID.

> 2) Any places which compare the real and saved IDs to check whether a
>    process is still in a set-ID context (e.g. coredump()) must be
>    changed to also compare the effective ID.

Right.  And again, this sounds like exactly what you want, since in the
4.3 model, a process is set-ID iff real!=effective.

Shouldn't this be rolled up into a little function, proc_is_set_id() or
something?

> 3) Both functions must set P_SUGID to disable ptrace(2) and procfs.

Of course.

> Does anyone object to the preceeding changes?

Not me, indeed, I wholeheartedly support them.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu