Subject: Re: commoning up code that changes uids and gids
To: Jaromir Dolecek <email@example.com>
From: David Laight <firstname.lastname@example.org>
Date: 03/09/2003 19:19:29
> Also, you didn't adress the issue I raised - that ruid
> in sys_setreuid() is always set to as 'p->p_cred->p_ruid ? -1 : euid;',
> so the previous 'if (ruid == -1) ruid = p->p_cred->p_ruid;' has
> no effect. Other routines might have similar issues.
svuid = ruid == p->p_cred->p_ruid ? -1 : euid;
Is an assignment to svuid, not ruid.
> It also seems new do_setres[ug]id() might return error in some
> cases which it didn't before - at least it looked so when I scanned
> setuid/setgid code changes before.
Name a case.
> Also, you didn't answer
> if you made sure the Linux code indeed works as well as before.
The linix code matches my the old code, and also what linux does
- namely that you can set and of uid values to any of the others
> I believe you should be 200% sure the code is right _before_
> commit, and have regression tests for that. You change the
> very foundations of unix security model, and any mistake
> here means major compromise.
I've been running it localy for a long time.
> I'd say it would be appropriate to back your change off.
Various people who can read C better than you seem able to checked it.
From a security point of view, there are MUCH less likely to be problems
in the new code than in the old - since the changes that non-root
users can make are now absolutely transparent.
David Laight: email@example.com