Subject: Re: Addition to force open to open only regular files
To: None <firstname.lastname@example.org, email@example.com>
From: Chris Torek <torek@BSDI.COM>
Date: 11/27/2000 14:53:28
By the way, I think this here is an *extremely* important point:
>... But if you can temporarily drop privileges, then you should
>always run in the lower privilege except for the exact places where you
>need the higher privilege.
In other words, given the mechanism we have now in the various BSDs,
EVERY SETUID PROGRAM SHOULD BEGIN WITH:
I might even argue that we should change all our kernels to make "setuid"
really be "set saved uid", so that programs *start out* in this mode. :-)
(There is a slight problem with that aside from the obvious historical
incompatibility: the program then has to have its privileged ID compiled-in.
Could stick something in the startup code, I suppose, with a global variable
(This would probably close a lot of small holes. Then you just want
a few places where do you:
optional: block all signals;
fd = open(path, flags, createmode);
release blocked signals;
more or less.)
Matthew Orgass already said this; I just wanted to agree with and