Subject: kern/4217: kernel's handling of group permissions is suboptimal
To: None <gnats-bugs@gnats.netbsd.org>
From: None <cgd@NetBSD.ORG>
List: netbsd-bugs
Date: 10/03/1997 23:00:13 
>Number:         4217
>Category:       kern
>Synopsis:       the kernel's handling of group permissions is suboptimal
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Oct  3 16:05:05 1997
>Last-Modified:
>Originator:     Chris G. Demetriou
>Organization:
Kernel Hackers 'r' Us
>Release:        NetBSD-current as of October 1, 1997
>Environment:
System: NetBSD brick.demetriou.com 1.2G NetBSD 1.2G (BRICK) #116: Wed Jul 16 14:03:06 PDT 1997 cgd@brick.demetriou.com:/usr/src/sys/arch/i386/compile/BRICK i386


>Description:
	The kernel's handling of group permissions is suboptimal.  In
	particular, it has (at least) the following deficiencies (for
	non-superusers):

	(1) setgroups() can only be invoked by root, despite the fact
	    that the manual page says that "only the super-user may set
	    new groups."  It's impossible for a process to _remove_
	    groups from its group access list.  This means that it's
	    impossible for a "smart" process to completely relinquish
	    certain privileges.

	(2) setgid() can't set group ID to one of the groups in the
	    group access list, only to either the real group id or the
	    saved group id.  This, too, means that it's impossible
	    for a "smart" process to relinquish certain privileges.  Such
	    a process might want to setgid() to a certain group ID, then
	    relinquish other group membership, then invoke another program.

	(3) same as (2), but for setegid().

	(3) same as (2), but for setregid().

>How-To-Repeat:
	Try code which performs any of the above operations.

>Fix:
	None provided.  Note that there are 'interesting' issues if
	the real or effective group IDs aren't in the process's
	group list; logically they probably should be.  (That doesn't
	necessarily have to be reported directly to user programs which
	do getgroups(), but having one array could make life a lot easier.
	Indeed, it might make life easier in the existing code!)
>Audit-Trail:
>Unformatted: