Subject: Re: weird setuid behavior
To: Niels Provos <provos@citi.umich.edu>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 01/26/2004 02:56:34
[ On Sunday, January 25, 2004 at 14:41:26 (-0500), Niels Provos wrote: ]
> Subject: Re: weird setuid behavior
>
> On Fri, Jan 23, 2004 at 06:11:18PM +0900, Noriyuki Soda wrote:
> > I tested the program on NetBSD-1.4.2 and NetBSD-1.6_STABLE,
> > and the setuid(2) call failed on both systems with EPERM.
> > It failed on Solaris-2.6 and Linux-2.4, too.
> >
> > Is such change really made at last year?
>
> I guess that I am mistaking, but then my question still remains,
> why can't setuid() set my uid to my euid?
I think that could be interpreted as a slightly different question than
the one you asked at first. :-)
I now think the answer to your initial question is that setuid() will
fail if its parameter is the same as the effective user-ID. This is
probably not a good idea given how sloppily many programs make use of
setuid(), though I can't say I've encountered any problems as a result.
This seems to be confirmed by my own tests, though I've not done
exhaustive tests, and I've only done them on my own slightly modified
systems.
FYI, on my own systems if the effective user-ID is zero I've forced
seteuid() to behave as if setuid() were called as I find it much safer
the superuser is forced to always permanently revoke its privileges, and
I've also totally disabled setreuid(). I've had to implement fopen_as()
(currently in user-land using fork() and FD passing) to work around NFS
limitations but so far I've only had to use it in rcmd(3) and lpr(1)
(and my mailer for ~/.forward files, but it already had a similar
feature).
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com> Secrets of the Weird <woods@weird.com>