From owner-freebsd-audit  Wed Dec 12 12:42: 0 2001
Delivered-To: freebsd-audit@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id 77F8137B417; Wed, 12 Dec 2001 12:41:55 -0800 (PST)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.11.4/8.11.4) id fBCKflY68302;
	Wed, 12 Dec 2001 15:41:47 -0500 (EST)
	(envelope-from wollman)
Date: Wed, 12 Dec 2001 15:41:47 -0500 (EST)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200112122041.fBCKflY68302@khavrinen.lcs.mit.edu>
To: Bruce Evans <bde@zeta.org.au>
Cc: <freebsd-audit@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
Subject: Re: setuid() POSIX compliance
In-Reply-To: <20011212211356.L34562-100000@gamplex.bde.org>
References: <3C15B736.7080605@uclink.berkeley.edu>
	<20011212211356.L34562-100000@gamplex.bde.org>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-audit.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-audit>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-audit>
X-Loop: FreeBSD.ORG

<<On Wed, 12 Dec 2001 22:01:42 +1100 (EST), Bruce Evans <bde@zeta.org.au> said:

> change one of their ids using setuid() is considered to have
> "appropriate privilege".

``Appropriate privilege'', in the POSIX sense, can be any arbitrarily
complex predicate.  I.e., ``the process belongs to a user whose
supplementary group list contains exactly three groups, the person
sitting at the console is carrying an umbrella, and the moon is waxing
gibbous'' is a valid definition of ``appropriate privilege''.

A valid implementation of setuid() (ignoring syscall calling
convention issues) could be:

int
setuid(uid_t uid)
{
	/* ... */
	/*
	 * Appropriate privilege is defined as:
	 * 1) The process belongs to the super-user, or
	 * 2) The process has the CAP_CHANGE_UID capability, or
	 * 3) The process already has that uid.
	 *
	 * This definition trumps the second clause (1003.1-2001,
	 * ll. 41136ff) by considering all processes it would otherwise
	 * apply to privileged.
	 */
	if (uid == cred->cr_uid || uid == cred->cr_euid ||
	    uid == cred->cr_svuid ||
	    has_capability(cred, CAP_CHANGE_UID) ||
	    suser_cred(cred)) {
		cred = crcopy(cred);
		assert(cred && cred->cr_refcnt == 1);
		cred->cr_uid = cred->cr_euid = cred->cr_svuid = uid;
		install_process_credential(cred);
		retval = 0;
	} else {
		errno = EPERM;
		retval = -1;
	}
	return (retval);
}

This implementation is valid regardless of whether _POSIX_SAVED_IDS is
defined -- hence the problems which are detailed in the 1003.1-2001
rationale for setuid().

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message