On Sat, 18 Nov 2000, Greg A. Woods wrote:

# If open_as() *replaces* sete*id() then of course it must accept at least
# UID and GID parameters to be of any use.  In this case you probably do
# NOT want to want to provide this capability to other function calls,
# though [eg. especially not chmod() or chown()!].

...and now that you have open_as(), guess what you've just done via
fchmod() and fchown()? 8-D

# If I were to redesign set-ID again I think I'd make it work in such a
# fashion that the resulting process defaulted to running as the real user
# and that sete*id() would be necessary to *temporarily* raise privileges
# only for the next system call.

You've just condemned set-id programmers to the hell of not being able to
re-use code in, i.e., their own library which they do share between
common programs.  An awful lot would break.

# -- this would make set-ID programmers more
# aware of when they are using their privileges and might make it easier
# for them to figure out when they can completely drop privileges.  I
# would also make fork() always revert to the real-IDs just as if you'd
# first called setuid(getuid()) -- i.e. no inheritance of privs!

That'd be a lose.

I seem to remember a Doug Gwyn quote that went something like, "UNIX
does not prevent you from doing stupid things because then it would
prevent you from doing smart things, too."

				--*greywolf;
--
Hack on BSD, and your code runs on over 20 architectures.