exec after seteuid

Pierre A. Humblet Pierre.Humblet@ieee.org
Sat Jun 7 19:34:00 GMT 2003


At 09:14 PM 6/7/2003 +0200, Corinna Vinschen wrote:
>> Here is a candidate patch. I don't want to start sinking
>> test time before you have a chance to tell me it won't work,
>> or improve it.
>
>No, that's an interesting idea.  I would appreciate some testing.
>
OK, will do. I already saw some small holes, related to
Win9X support and the case where the token changes because 
of groups.

>> If both uids have changed, then we need to build two
>> tokens. That's a big job.
>
>But that isn't very likely, right?  Most setuid applications are
>either changing the uid for a quick job or they switch over
>entirely to ruid == euid for their unprivileged child processes.

100% OK

>Do you think it's worth to consider such a border case?

Not until someone asks for it!

I was just thinking about the security implications. For example
login uses seteuid. With the change, the shell would still start
with ruid = 18, and a simple RevertToSelf would bring privileges 
back. I think (all ?) shells setuid(geteuid()), but in Cygwin the 
change wouldn't really be effective until the next exec.
Perhaps it would be safer to have login and such use setuid.

Pierre



More information about the Cygwin-developers mailing list