Subject: re: Addition to force open to open only regular files
To: Warner Losh <email@example.com>
From: matthew green <firstname.lastname@example.org>
Date: 11/14/2000 10:41:05
A program can call setreuid with two different args than who started
the program (eg setreuid(1, 2)) and then rely on the saved id to get
back to the original euid of the person who ran the program. NetBSD
supports _POSIX_SAVED_IDS, which means that the above won't touch the
On FreeBSD this may be safe because it doesn't implement
_POSIX_SAVED_IDS because it is unsafe to traditional BSD programs. At
least according to comments in kern_prot.c.
netbsd does not support _POSIX_SAVED_IDS.
* According to POSIX 1003.1:
* "The saved set-user-ID capability allows a program to regain the
* effective user ID established at the last exec call."
* However, the setuid/setgid function as specified by POSIX 1003.1 does
* not allow changing the effective ID from the super-user without also
* changed the saved ID, so it is impossible to get super-user privileges
* back later. Instead we provide this feature independent of the current
* effective ID through the seteuid/setegid function. In addition, we do
* not use the saved ID as specified by POSIX 1003.1 in setuid/setgid,
* because this would make it impossible for a set-user-ID executable
* owned by a user other than the super-user to permanently revoke its
* extra privileges.
#define _POSIX_SAVED_IDS /* saved set-user-ID and set-group-ID */