Subject: Re: Addition to force open to open only regular files
To: NetBSD Kernel Technical Discussion List <firstname.lastname@example.org>
From: Greywolf <email@example.com>
Date: 11/18/2000 14:06:15
On Sat, 18 Nov 2000, Greg A. Woods wrote:
# If open_as() *replaces* sete*id() then of course it must accept at least
# UID and GID parameters to be of any use. In this case you probably do
# NOT want to want to provide this capability to other function calls,
# though [eg. especially not chmod() or chown()!].
...and now that you have open_as(), guess what you've just done via
fchmod() and fchown()? 8-D
# If I were to redesign set-ID again I think I'd make it work in such a
# fashion that the resulting process defaulted to running as the real user
# and that sete*id() would be necessary to *temporarily* raise privileges
# only for the next system call.
You've just condemned set-id programmers to the hell of not being able to
re-use code in, i.e., their own library which they do share between
common programs. An awful lot would break.
# -- this would make set-ID programmers more
# aware of when they are using their privileges and might make it easier
# for them to figure out when they can completely drop privileges. I
# would also make fork() always revert to the real-IDs just as if you'd
# first called setuid(getuid()) -- i.e. no inheritance of privs!
That'd be a lose.
I seem to remember a Doug Gwyn quote that went something like, "UNIX
does not prevent you from doing stupid things because then it would
prevent you from doing smart things, too."
Hack on BSD, and your code runs on over 20 architectures.