[mod.std.unix] Clearing environment on exec of setuid process
std-unix@ut-sally.UUCP (Moderator, John Quarterman) (02/06/86)
Date: Wed, 5 Feb 86 08:12:33 pst
>From: seismo!sun!rtech!daveb (Dave Brower)
Organization: Relational Technology Inc, Alameda CA
At first glance I thought clearing the environment on the exec of a setuid
program might be OK, but it seems full of awkward side effects.
For instance, I could not have one of my favorite programs, nasty, that
runs setuid root and then execs the remainder of its arguments with
a negative nice value. The real child process would never be able to
get a reasonable environment.
The answer is only to do limited operations when in setuid. The best
way to do this would be to allow processes to painlessly shift back and
forth between their real-uid and effective-uid. This is allowed, but
not documented on BSD, but appears not to be allowed at all on SV.
This way, you can have your one section that need to run setuid be setuid
whenver needed, while running as the real user the reset of the time.
Lastly, you really need to be able to set fixed priorities rather than
just nice values so things like a memory/cpu pig server process can avoid
getting bumped. Convex did this by making nice values < -20 and > +20
be a fixed priority. This seems quite reasonable, and lets a 'nasty'
root program set the fixed high priority.
-dB
Volume-Number: Volume 5, Number 39
std-unix@ut-sally.UUCP (Moderator, John Quarterman) (02/08/86)
>From: seismo!gatech!akgua!pegasus!hansen (Tony Hansen)
Sat Feb 8 00:48:16 1986
Date: Sat, 8 Feb 86 00:31:29 EST
Organization: AT&T-IS Labs, Lincroft, NJ
< The answer is only to do limited operations when in setuid. The best
< way to do this would be to allow processes to painlessly shift back and
< forth between their real-uid and effective-uid. This is allowed, but
< not documented on BSD, but appears not to be allowed at all on SV.
System Vr2 allows a non-root setuid process to call setuid(2) with either
the real uid or the saved effective uid, allowing the process to painlessly
switch back and forth. This change occurred between System V and Vr2.
One slight difference is that Vr2 non-root setuid(2) sets the effective uid
and not the real uid. Only a root setuid(2) will change the real uid as
well; which can't then be changed back.
Tony Hansen
ihnp4!pegasus!hansen
Volume-Number: Volume 5, Number 43
std-unix@ut-sally.UUCP (Moderator, John Quarterman) (02/11/86)
>From: Kay Dekker <seismo!mcvax!warwick!kay>
To: ut-sally!std-unix
Organization: Computer Science, Warwick University, UK
Date: Sat, 8 Feb 86 10:20:38 GMT
>Date: Wed, 5 Feb 86 08:12:33 pst
>>From: seismo!sun!rtech!daveb (Dave Brower)
>Organization: Relational Technology Inc, Alameda CA
>
>The answer is only to do limited operations when in setuid. The best
>way to do this would be to allow processes to painlessly shift back and
>forth between their real-uid and effective-uid. This is allowed, but
>not documented on BSD, but appears not to be allowed at all on SV.
>This way, you can have your one section that need to run setuid be setuid
>whenver needed, while running as the real user the reset of the time.
This is *exactly* what I found myself needing to do last night... When
you say "BSD", does this include 4.1? If so, how do I do it? and why
isn't it documented?
Kay.
--
Virtue is its own punishment.
... mcvax!ukc!warwick!kay
[ It was introduced in 4.2BSD. Here's the man page.
Note that only super-user can actually switch back and forth
between ruid and euid. -mod ]
SETREUID(2) UNIX Programmer's Manual SETREUID(2)
NAME
setreuid - set real and effective user ID's
SYNOPSIS
setreuid(ruid, euid)
int ruid, euid;
DESCRIPTION
The real and effective user ID's of the current process are
set according to the arguments. If _�r_�u_�i_�d or _�e_�u_�i_�d is -1, the
current uid is filled in by the system. Only the super-user
may modify the real uid of a process. Users other than the
super-user may change the effective uid of a process only to
the real uid.
RETURN VALUE
Upon successful completion, a value of 0 is returned. Oth-
erwise, a value of -1 is returned and _�e_�r_�r_�n_�o is set to indi-
cate the error.
ERRORS
[EPERM] The current process is not the super-user and
a change other than changing the effective
user-id to the real user-id was specified.
SEE ALSO
getuid(2), setregid(2), setuid(3)
Printed 2/11/86 12 February 1983 1
Volume-Number: Volume 5, Number 44
std-unix@ut-sally.UUCP (Moderator, John Quarterman) (02/11/86)
Date: Sun, 9 Feb 86 22:00:20 pst
>From: pyramid!csg (Carl S. Gutekunst)
Organization: Pyramid Technology Corp., Mountain View, CA
>> The answer is only to do limited operations when in setuid. The best
>> way to do this would be to allow processes to painlessly shift back and
>> forth between their real-uid and effective-uid. This is allowed, but
>> not documented on BSD, but appears not to be allowed at all on SV.
>
>System Vr2 allows a non-root setuid process to call setuid(2) with either
>the real uid or the saved effective uid, allowing the process to painlessly
>switch back and forth. This change occurred between System V and Vr2.
Something is silly here; if you think it's important I'd appreciate it if
you'd verify this with someone who knows:
System V has always had the ability to switch the effective UID between the
real UID and the saved effective UID. (And it isn't documented, BTW. We
discovered it the hard way when some of the V.0 utilities wouldn't run.)
Berkeley, however, has never had this capability. There are a number of other
curious variations and exceptions, although that's fodder for net.unix... :-)
[ Does anybody know when the capability was introduced? PWB, System III,
System V? As for what BSD has along these lines, see previous article.
I'm beginning to agree that this discussion really belongs on net.unix.
-mod ]
<csg>
Volume-Number: Volume 5, Number 45
std-unix@ut-sally.UUCP (Moderator, John Quarterman) (02/11/86)
Date: Mon, 10 Feb 86 11:06:44 MST
>From: thomas%utah-gr@UTAH-CS.ARPA (Spencer W. Thomas)
Organization: University of Utah, Salt Lake City
In article <4141@ut-sally.UUCP> pegasus!hansen (Tony Hansen) writes:
>One slight difference is that Vr2 non-root setuid(2) sets the effective uid
>and not the real uid. Only a root setuid(2) will change the real uid as
>well; which can't then be changed back.
This seems to me to be a potential security problem. It means that you
cannot write a program to give a certain set of people access to a
particular uid (ala su) without making it setuid root. It would be much
safer, it seems to me, to make it setuid to the uid you want to give
access to, and let it do setuid(geteuid()). This is necessary if, for
example, the program wants to fork a real setuid program with the new
uid. We have a number of programs that do this. Yet another reason to
not use SV.
[ Please, let's not start up the System V vs. 4BSD argument here. -mod ]
--
=Spencer ({ihnp4,decvax}!utah-cs!thomas, thomas@utah-cs.ARPA)
Volume-Number: Volume 5, Number 46