From owner-freebsd-hackers  Fri Aug 16 13:49:34 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA16556
          for hackers-outgoing; Fri, 16 Aug 1996 13:49:34 -0700 (PDT)
Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA16546
          for <freebsd-hackers@freebsd.org>; Fri, 16 Aug 1996 13:49:30 -0700 (PDT)
Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id WAA24949; Fri, 16 Aug 1996 22:49:14 +0200
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id WAA27219; Fri, 16 Aug 1996 22:49:14 +0200
Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id WAA07230; Fri, 16 Aug 1996 22:40:18 +0200 (MET DST)
From: J Wunsch <j@uriah.heep.sax.de>
Message-Id: <199608162040.WAA07230@uriah.heep.sax.de>
Subject: Re: Routed supports variable-length netmasks?
To: freebsd-hackers@freebsd.org (FreeBSD hackers)
Date: Fri, 16 Aug 1996 22:40:18 +0200 (MET DST)
Cc: jgreco@brasil.moneng.mei.com (Joe Greco)
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <199608161610.LAA15418@brasil.moneng.mei.com> from Joe Greco at "Aug 16, 96 11:10:53 am"
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E 
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

As Joe Greco wrote:

> I found under FreeBSD, um, I think 2.0.5R that this didn't work real well
> because route did additional checks for root permissions (I believe I got
> around it by forcing the uid and euid to 0, or something like that).

I've also noticed this, and even intended to ``fix'' it some day.
Anyway, when i was ready with the ``fix'', i noticed that i was just
about to actually break it...  route does already run setuid root, in
order to work with the routing socket.  So it tests for the real UID
of superuser to decide whether it is allowed to _manipulate_ routes.
So everybody can do a ``route get'', but only processes with a real
UID of 0 can ``route add''.

If the calling processes effective UID is already 0, it is free to
also change the real UID to 0 before calling `route' -- much unlike a
regular user, who is not allowed to do this.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)