Subject: Re: Addition to force open to open only regular files
To: NetBSD Kernel Technical Discussion List <tech-kern@netbsd.org>
From: Greywolf <greywolf@starwolf.com>
List: tech-kern
Date: 11/18/2000 14:06:15
On Sat, 18 Nov 2000, Greg A. Woods wrote:
# If open_as() *replaces* sete*id() then of course it must accept at least
# UID and GID parameters to be of any use. In this case you probably do
# NOT want to want to provide this capability to other function calls,
# though [eg. especially not chmod() or chown()!].
...and now that you have open_as(), guess what you've just done via
fchmod() and fchown()? 8-D
# If I were to redesign set-ID again I think I'd make it work in such a
# fashion that the resulting process defaulted to running as the real user
# and that sete*id() would be necessary to *temporarily* raise privileges
# only for the next system call.
You've just condemned set-id programmers to the hell of not being able to
re-use code in, i.e., their own library which they do share between
common programs. An awful lot would break.
# -- this would make set-ID programmers more
# aware of when they are using their privileges and might make it easier
# for them to figure out when they can completely drop privileges. I
# would also make fork() always revert to the real-IDs just as if you'd
# first called setuid(getuid()) -- i.e. no inheritance of privs!
That'd be a lose.
I seem to remember a Doug Gwyn quote that went something like, "UNIX
does not prevent you from doing stupid things because then it would
prevent you from doing smart things, too."
--*greywolf;
--
Hack on BSD, and your code runs on over 20 architectures.