Subject: Re: Addition to force open to open only regular files
To: NetBSD Kernel Technical Discussion List <firstname.lastname@example.org>
From: Jaromír Dolecek <email@example.com>
Date: 11/30/2000 23:42:03
Greg A. Woods wrote:
> Naturally the set-ID programs in question must still make use of
> setuid(), but I believe from my experience and recent research that
> forcing set-ID programs to do without seteuid()'s ability to regain
> privileges will make it much easier for such programs to choose an early
> point at which to call setuid(getuid()).
Ad a matter of fact, setuid(getuid()) doesn't work for non-root suid
binaries on _POSIX_SAVED_IDS system, i.e non-root suid binary does not
have a way to give up extra privileges within POSIX.1 bounds.
I think lack of setr*uid() simplifies the situation - it's possible to find
out real real id at all times. Then, it's easy even for library
code to switch to real real id, and do exploitable thihgs (like
the $HOSTALIASES support), with "right" real id. No access()/open() race,
everything is plain and simple.
But all this was said couple of times already :-]
Jaromir Dolecek <jdolecek@NetBSD.org> http://www.ics.muni.cz/~dolecek/
@@@@ Wanna a real operating system ? Go and get NetBSD, damn! @@@@