Subject: Re: commoning up code that changes uids and gids
To: NetBSD Kernel Technical Discussion List <tech-kern@netbsd.org>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-kern
Date: 03/06/2003 18:02:44
    Date:        Wed, 5 Mar 2003 04:19:54 -0500 (EST)
    From:        "Greg A. Woods" <woods@weird.com>
    Message-ID:  <m18qV46-000B3KC@proven.weird.com>

  | Yes, of course, but it's never safe in a system using the unix security
  | model to raise privileges again in the same process.


main()
{
	int uid = getuid();
	int eid = geteuid();

	setreuid(eid, uid);
	/* nothing done here */
	setreuid(uid, eid);
	exit(0);
}

Do you want to revise your "never" ??   Or would you like to demonstrate
just how to break that code (comments on the lack of correct data types,
prototypes, error checking, ... will all be ignored).

And if you believe it is impossible to safely replace the comment with
any executable code at all, I will happily demonstrate a version with
some code in it.

  | It never has been
  | and it never will be, and there have been several very wide-spread and
  | serious security bugs in various system to remind you of this fact too.

No, they illustrate that it is possible to write broken code using
this idiom (and others) - the same code would in almost all cases be
exactly as broken (if not more so) if it had never reduced its privs
but otherwise been just the same - and code can also be broken if
it forks a sub-process which drops privs and never regains them.

You cannot prove a generalisation using examples (but it is easily
possible to disprove one that way).

Drop the dogma.

kre