Subject: Re: CVS commit: basesrc
To: matthew green <mrg@eterna.com.au>
From: Robert Elz <kre@munnari.OZ.AU>
List: source-changes
Date: 05/01/2000 23:43:34
    Date:        Sun, 30 Apr 2000 21:18:20 +1000
    From:        matthew green <mrg@eterna.com.au>
    Message-ID:  <9239.957093500@eterna.com.au>

  |    Modified Files:
  |    	basesrc/lib/libc/net: res_query.c
  |    
  |    Log Message:
  |    don't look at $HOSTALIASES, if issetugid() says the binary is dirty.
  | 
  | i really hate this change.

Same here.   What's the problem supposed to be, aside from FUD ?

As long as the library routines that read $HOSTALIASES are doing it
properly (if it wants to be super safe, abandon stdio and just malloc
a buffer, or use the stack, read(2) into it, then zap the buffer (memset())
before returning to user code).   But setuid() binaries that allow users
to get access to data in their mem leave more holes than can be exploited
via HOSTALIASES.

So, is this change any more than a reaction to a bug that was in SunOS?
And if not, can it be undone please?

kre