On Fri 17 Nov 2000 at 20:55:58 -0500, Greg A. Woods wrote:
> My proposal for new getsuid(2) and getsgid(2) calls intended to retrieve
> the saved set-ID credentials is really only put forth to be pedantic.
> 
> You can easily determine them if you want because they are equivalent
> to the effective-IDs when the process first starts.  It's just a matter
> of squirrelling away user-land copies early on.
> 
> However I'd rather be able to get these values from directly from the
> kernel at any old time rather than have to keep track of them in
> user-land.

Exactly, because anything you store in userland is subject to buffer
overflows and such. Any argument to an open_as() function is subject to
attack. This would be an argument for *not* passing a uid to an
open_as() function, in addition to what you write later.

> In fact it may be possible to show that open_as(2) need not do anything
> but operate as if it were the real user, just as access(2) does -- i.e.
> that it does not need any parameters different than open(2).

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert - rhialto@polder    -- Ah only did well at school
\X/ land.nl       -- tae git intae an O level class tae git away fae Begbie.
Hi! I am a .signature virus. Copy me into your .signature to help me spread.