bob@allosaur.cis.ohio-state.edu (Bob Sutterfield) (09/30/88)
*** X.V11R2/lib/Xaw/Load.c~ Wed Aug 17 13:54:26 1988
--- X.V11R2/lib/Xaw/Load.c Fri Sep 30 11:20:18 1988
***************
*** 401,406 ****
--- 401,407 ----
loadavg_seek = namelist[LOADAV].n_value;
kmem = open(KMEM_FILE, O_RDONLY);
if (kmem < 0) xload_error("cannot open", KMEM_FILE);
+ setuid(getuid());
init = 1;
}
-=-
Zippy sez, --Bob
Our father who art in heaven.. I sincerely pray that SOMEBODY
at this table will PAY for my SHREDDED WHAT and ENGLISH MUFFIN..
and also leave a GENEROUS TIP...
RWS@ZERMATT.LCS.MIT.EDU (Robert Scheifler) (09/30/88)
Date: 30 Sep 88 15:55:43 GMT From: allosaur.cis.ohio-state.edu!bob@ohio-state.arpa (Bob Sutterfield) + setuid(getuid()); Umm, putting this in the middle of a widget's code (that might be embedded in an arbitrary application) is NOT reasonable.
bob@allosaur.cis.ohio-state.edu (Bob Sutterfield) (10/01/88)
In article <19880930162408.7.RWS@KILLINGTON.LCS.MIT.EDU> RWS@ZERMATT.LCS.MIT.EDU (Robert Scheifler) writes: > > Date: 30 Sep 88 15:55:43 GMT > From: allosaur.cis.ohio-state.edu!bob@ohio-state.arpa (Bob Sutterfield) How did that "ohio-state.arpa" get in there? There's no such thing any more! > > + setuid(getuid()); > >Umm, putting this in the middle of a widget's code (that might >be embedded in an arbitrary application) is NOT reasonable. My rationale was that any application that uses that widget would need to be setuid root (or at least setgid kmem), and it would be appropriate for that application to setuid back to its invoker, so why not do it in the widget? But perhaps that's too much of an assumption at the widget level. I have repented, and backed that change out of my libXaw, and changed my xload thusly instead: *** clients/xload/xload.c~ Thu Feb 25 23:54:25 1988 --- clients/xload/xload.c Fri Sep 30 15:37:23 1988 *************** *** 59,63 **** --- 59,64 ---- XtSetArg (arg, XtNlabel, host); XtCreateManagedWidget ("load", loadWidgetClass, toplevel, &arg, 1); XtRealizeWidget (toplevel); + setuid(getuid()); XtMainLoop(); } Is that a more tasteful way of going about it? -=- Zippy sez, --Bob You should all JUMP UP AND DOWN for TWO HOURS while I decide on a NEW CAREER!!
mtr@mace.cc.purdue.edu (Miek Rowan) (10/01/88)
Here I just have xload(1) setgid kmem and all is happy. (I can even kill it ;-) -- why make things setuid when you don't have to? mtr
RWS@ZERMATT.LCS.MIT.EDU (Robert Scheifler) (10/01/88)
Date: 30 Sep 88 21:11:30 GMT From: allosaur.cis.ohio-state.edu!bob@ohio-state.arpa (Bob Sutterfield) My rationale was that any application that uses that widget would need to be setuid root (or at least setgid kmem), and it would be appropriate for that application to setuid back to its invoker, so why not do it in the widget? Because you don't know how many other setuid or setgid functions there might be in other widgets in the same application, that haven't yet been executed. I have repented, and backed that change out of my libXaw, and changed my xload thusly instead: Is that a more tasteful way of going about it? Yes.