Date: Sun, 21 Jul 2002 22:05:30 -0700 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: "M. Warner Losh" <imp@bsdimp.com> Cc: bde@zeta.org.au, julian@vicor.com, current@FreeBSD.ORG Subject: Re: [Fwd: FreeBSD/Linux kernel setgid implementation] Message-ID: <20020722050530.GA1068@HAL9000.homeunix.com> In-Reply-To: <20020720.010637.105098846.imp@bsdimp.com> References: <20020720130233.Y15254-100000@gamplex.bde.org> <20020720131426.T15254-100000@gamplex.bde.org> <20020720.010637.105098846.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake M. Warner Losh <imp@bsdimp.com>: > I would ****STRONGLY**** suggest that any attempts to change the > setuid semantics of FreeBSD be resisted unless the person making the > change is willing to a) audit the entire tree for places where the use > of setuid breaks (and to publish the results of the non-breakage cases > too) and b) be the point person for the next year after this change > for the SO to send port breakages too. > > Many eyes have looked at the setuid/seteuid instances in the tree and > verified them as being as correct as we can determine. I'd really > hate to see that work undone by subtle changes in the system calls. Interestingly, the paper grew out of a larger project to develop an automated tool to verify temporal safety properties. The tool is written and it has yielded promising results, although it presently lacks a front end to drive all the parts and an extensive database of formalized security properties. I'm working on the former deficiency right now. The old hard-to-drive version is available at http://www.cs.berkeley.edu/~daw/mops/ . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020722050530.GA1068>