On Tue, 28 Nov 2000, Greg Hudson wrote:

> > Going further in this direction, why not completely split privileged
> > and non-privileged syscalls and have the standard syscalls always
> > use the real id?
>
> What if I actually want to run a library routine (say, fopen) with my
> privileged ID?

  There would be a separate version that is privileged.  It is not really
safe to assume that library routines are safe to use with privilege unless
they were designed that way.  They could use environment variables or
special files or they could call other library functions that do so.
Requiring a separate function for privileged actions insures that the
routine knows how to deal with it.

> Even Chris Torek's suggestion that setuid programs should run with the
> real uid except at specific points doesn't really solve the problem.
> Say a setuid program needs to get and use Kerberos tickets as root
> (because it's fetching them from a keytab readable only by root).
> Using the Kerberos tickets as root involves doing hostname lookups as
> root.  Doing hostname lookups as root bumps up against the HOSTALIASES
> problem.

  Right, this is why the environment should be empty by default in setuid
programs with a separate tainted environment as passed.

Matthew Orgass
darkstar@pgh.net