Greg A. Woods wrote:
> Naturally the set-ID programs in question must still make use of
> setuid(), but I believe from my experience and recent research that
> forcing set-ID programs to do without seteuid()'s ability to regain
> privileges will make it much easier for such programs to choose an early
> point at which to call setuid(getuid()).

Ad a matter of fact, setuid(getuid()) doesn't work for non-root suid
binaries on _POSIX_SAVED_IDS system, i.e non-root suid binary does not
have a way to give up extra privileges within POSIX.1 bounds.

I think lack of setr*uid() simplifies the situation - it's possible to find
out real real id at all times. Then, it's easy even for library
code to switch to real real id, and do exploitable thihgs (like
the $HOSTALIASES support), with "right" real id.  No access()/open() race,
everything is plain and simple.

But all this was said couple of times already :-]

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>      http://www.ics.muni.cz/~dolecek/
@@@@  Wanna a real operating system ? Go and get NetBSD, damn!  @@@@