Date:	Sun, 10 Jan 1999 11:16:00 +0100
From:	Nick Maclaren <nmm1@CUS.CAM.AC.UK>
Subject:      Re: Wiping out setuid programs
To:	BUGTRAQ@NETSPACE.ORG

"D. J. Bernstein" <djb@CR.YP.TO> wrotes:
> Costs. It shouldn't take more than five minutes for a kernel implementor
> to support getpeereuid(). For example, Linux has "struct ucred peercred"
> inside struct sock, and a SO_PEERCRED macro in sys/socket.h, used by the
> following four syscalls:
>           .    .    .
> There's similar code to handle gid (and pid). The entire implementation
> is about twenty lines long.

Hmm.  I admire the amount of careful design and validation that you seem
to regard as necessary for kernel modifications.

For example, consider the following sequence of operations:

    Process A running with effective uid fred and saved uid root creates
a socket, and then changes to effective uid joe.
    Process B connects to the other end, process A changes to effective
uid alf, and then process B calls getpeereuid.

The following questions immediately spring to mind:

    1) Which uid (fred, joe or alf) will it return?
    2) Are there any circumstances under which it won't?
    3) Is this the correct behaviour, anyway?
    4) Are we sure that everyone will agree and do the same?

This is definitely a facility that could be useful.  But surely we
know that designing operating system primitives for security
enhancement needs long and careful thought, to avoid obscure and
subtle design errors that cannot be fixed later?


Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.
Email:  nmm1@cam.ac.uk
Tel.:  +44 1223 334761    Fax:  +44 1223 334679