This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Declare set*id with warn_unused_result
On Tue, Jul 24, 2012 at 06:01:36AM -0700, Paul Eggert wrote:
> On 07/24/2012 04:58 AM, Florian Weimer wrote:
> > On Linux (except very current versions without funky security modules)
>
> Presumably this bug is fixed in current versions?
The bug whereby setuid failed due to RLIMIT_NPROC was fixed about a
year ago. However, it can still fail due to resource exhaustion in
kernelspace since the kernel stupidly allocates a new privilege
structure for the new uids/gids/caps/etc. tuple rather than just
setting a pre-allocated field in the task structure.
> And the funky security modules will be fixed, too?
No, the "funky" security modules api is broken by design. It allows
admins to make modules that cause any syscall to fail for any reason,
which actually makes programs a lot LESS secure because the reasonable
assumption that certain functions (like getuid or gettimeofday or
such) never fail is no longer true.
> If so, these warnings would be unnecessary annoyances
> in fixed versions, so perhaps we should leave this alone.
> (And if not, then why not?)
It's always a bug not to check the return value of an operation to
change privilege level. Even if it can't fail on your setup, it means
your program is dangerously non-portable. Normally I'm rabidly
anti-__wur, but these functions are one place where it's appropriate.
Rich