From owner-cvs-all Fri Sep 29 22: 7:25 2000 Delivered-To: cvs-all@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 0438237B503; Fri, 29 Sep 2000 22:07:15 -0700 (PDT) Received: from billy-club.village.org (billy-club.village.org [10.0.0.3]) by rover.village.org (8.9.3/8.9.3) with ESMTP id XAA23344; Fri, 29 Sep 2000 23:07:12 -0600 (MDT) (envelope-from imp@billy-club.village.org) Received: from billy-club.village.org (localhost [127.0.0.1]) by billy-club.village.org (8.11.0/8.8.3) with ESMTP id e8U57YG24889; Fri, 29 Sep 2000 23:07:34 -0600 (MDT) Message-Id: <200009300507.e8U57YG24889@billy-club.village.org> To: Don Lewis Subject: Re: cvs commit: src/lib/libc/net hesiod.c Cc: Jacques Vidrine , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org In-reply-to: Your message of "Fri, 29 Sep 2000 20:18:33 PDT." <200009300318.UAA19183@salsa.gv.tsc.tdk.com> References: <200009300318.UAA19183@salsa.gv.tsc.tdk.com> <200009291256.FAA32249@freefall.freebsd.org> Date: Fri, 29 Sep 2000 23:07:33 -0600 From: Warner Losh Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <200009300318.UAA19183@salsa.gv.tsc.tdk.com> Don Lewis writes: : On Sep 29, 5:56am, Jacques Vidrine wrote: : } Subject: cvs commit: src/lib/libc/net hesiod.c : } nectar 2000/09/29 05:56:34 PDT : } : } Modified files: : } lib/libc/net hesiod.c : } Log: : } Ignore HESIOD_CONFIG and HES_DOMAIN environmental variables for : } set-user-ID and set-group-ID programs. : : Would a better test be to check issetugid()? The process may have : already dropped privileges ... I concur. One should use issetugid() rather than checking directly against the uid/gid because we may have dropped privs already. This is important because there are two reasons to check to see if we are running at elevated privs. One is to prevent us from reading files that the user might not ordinarily be able to read (which this test catches) and the second is to make extra sure that we have a trusted file when runing with elevated privs because the program might be able to still get the elevated privs back. Buffer overflows are still dangerous even after we've dropped privs because that revocation isn't necessarily permanant and the egg code can often get them back. And I think there's at least one reason that I'm forgetting... Jacques, please apply the following to the file. I'll commit it tomorrow morning if it hasn't been changed by then. I almost commited this just now and in the process managed to leave a lock file behind. cvs@ has been notified. Index: hesiod.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/lib/libc/net/hesiod.c,v retrieving revision 1.2 diff -u -r1.2 hesiod.c --- hesiod.c 2000/09/29 12:56:33 1.2 +++ hesiod.c 2000/09/30 05:05:54 @@ -90,7 +90,7 @@ const char *p, *configname; int trust; - trust = geteuid() == getuid() && getegid() == getgid(); + trust = !issetuid(); ctx = malloc(sizeof(struct hesiod_p)); if (ctx) { Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message