Subject: Re: commoning up code that changes uids and gids
To: David Laight <david@l8s.co.uk>
From: Greg A. Woods <woods@weird.com>
List: tech-kern
Date: 03/04/2003 15:26:39
[ On Tuesday, March 4, 2003 at 09:57:36 (+0100), Jaromir Dolecek wrote: ]
> Subject: Re: commoning up code that changes uids and gids
>
> Did you confirm the semantics for compat code matches
> previous state? E.g. linux_misc.c/linux_misc_notalpha.c has
> this comment:
> 
>  	/*
>  	 * Note: These checks are a little different than the NetBSD
>  	 * setreuid(2) call performs.  This precisely follows the
>  	 * behavior of the Linux kernel.
>  	 */
> 
> AFAICS most of other compat code uses some variant of setresuid() playing
> with saved IDs; adding compat_setresuid() function to compat/common/
> and make compat code use that, should be sufficient WRT code sharing.

I don't care what "compatability" breaks, no kernel code should ever
allow any process running with superuser privileges to give up those
privileges without forcing it to give them up permanently.

It is never ever safe to allow a process to return to a raised level of
privilege after it has been running at a lower level of privilege.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>