On Mon, 27 Nov 2000, Chris Torek wrote:

> I might even argue that we should change all our kernels to make "setuid"
> really be "set saved uid", so that programs *start out* in this mode. :-)
> (There is a slight problem with that aside from the obvious historical
> incompatibility: the program then has to have its privileged ID compiled-in.
> Could stick something in the startup code, I suppose, with a global variable
> __privileged_uid...)

  Going further in this direction, why not completely split privileged and
non-privileged syscalls and have the standard syscalls always use the real
id?  This would entirely prevent unintended privileged calls absent
abusive code or bugs.  Combine this with separate tainted environment and
you would have a real improvement in the setuid model.  A way to achieve
source compatibility (in addition to binary compatibility) with the
current model would ease the pain of doing things differently, and the new
model should be fairly easy to port to other systems on top of the
standard model.

Matthew Orgass
darkstar@pgh.net