current-users: Re: those annoying "set*uid is deprecated" messages

Subject: Re: those annoying "set*uid is deprecated" messages
To: John Kohl <jtk@atria.com>
From: Chris G. Demetriou <cgd@alpha.bostic.com>
List: current-users
Date: 07/19/1994 18:18:37

> I recall the tail end of a discussion about this when I joined
> current-users, but don't recall.  Are these messages going to be tossed
> in favor of program load time messages?  [In particular, I consider them
> evil because they cause me protocol problems on an RPC service which had
> stderr connected to the socket]

i believe the goal was to make them load-time.  "not done yet, though."

> On a related topic, is there some way to do this:
> 
(1) > be running as ruid=euid=0 (some authentication program)
> 
(2) > set one of the uid's to a user, then run some functions which fetch
> kerberos tickets for that user, giving the file his/her UID
> 
(3) > set them both back to root to complete other login stuff
> 
(4) > set them both to the user's UID, and exec his/her shell

i think the following would work:

	setuid(0);	/* gets you (1), assuming a suid-exec program.
			 * otherwise, you're ruid == euid, anyway.
			 * also sets saved uid. */
	...
	seteuid(uid);	/* sets effective uid to uid; gets you (2) */
	...
	setuid(0);	/* sets effective/real/saved id's back to 0. (3) */
	...
	setuid(uid);	/* irrevocably become uid (sets e/r/s id's). (4) */
	exec shell

the similar thing works for gid's, but you've gotta be careful to
set.*gid at the correct times, so you still have perms...


chris

------------------------------------------------------------------------------