Quoting Alan Peakall,

> My reading of the NetBSD kernel code is that (at least for sockets) no
> authorisation checking of the value of the third argument to
> `fcntl(.., F_SETOWN, ..)' is performed, and that no checking is done
> when `so_pgid' is used for dispatching `SIG{IO,SIG}'.

> If this is correct, then it is a means of subverting the operation of
> of a process which uses these signals (naive processes should be OK
> as these signals are ignored by default), and is also a potential
> covert channel.

This should indeed be fixed; it doesn't even check if the process exists
at all. 

The checking for the case that the fd refers to a terminal has, since
Net/2 I think, seemed a little too strict to me: because F_SETOWN is
implemented via TIOCSPGRP, the fd is required to refer to not only a terminal,
it has to be the controlling terminal for the process as well. Which means
that you can't, say, open a serial device and use async I/O on it.

- Frank