Subject: re: Addition to force open to open only regular files
To: Bill Studenmund <wrstuden@zembu.com>
From: matthew green <mrg@eterna.com.au>
List: tech-kern
Date: 11/30/2000 10:44:54
   
   > Why aren't you satisfied with the following pseudo code?
   > (If setreuid() is deprecated, the following code should work.)
   > 
   > 	euid = geteuid();
   > 	if (getuid() != euid)
   > 		seteuid(getuid());
   > 	fp = fopen($HOSTALIASES, "r");
   > 	if (geteuid() != euid)
   > 		seteuid(getuid());
   > 
   > Do you want to preserve setreuid()? If so, why?
   
   Because we have it for standards compliance, we'd like to keep it. We'd
   also like to make life with it safe.


when it comes to security, we should *not care about stupid standards*
and only implement what we consider best.  to me, that solution is
to go back to the original 4.4BSD setuid()/seteuid() scheme.  the
properties that it has are *extremely* useful.  they are simple to use
(far simpler than setr*id()).  they allow library functions to be safe.


we should never have made setr*id() real syscalls again -- without those,
we can solve the library problems quite simply.  and if people have to
modify code to do so, all the better!  that means someone will have to
read this set-id program, which is always a good thing.


BTW, did you realise that the latest POSIX.1 draft says that
_POSIX_SAVED_IDS is mandatory?  i assure you, we will not be following
that standard.


.mrg.