June 15, 2007, 18:13
|
#1 |
|
Swordsman
Join Date: May 2007
Posts: 289
 |
The safe_setuid code
The safe_setuid_drop and safe_setuid_grab functions have a ridiculous number of ifdefs.
I suggests that at least SAFE_SETUID and SAFE_SETUID_POSIX is turned on permanently. For the first one, I see no reason to turn it off and for the second one, we assume in all other places that all Unix systems are Posix compatible by now. Finally there is setegid vs setgid. Reading the manpages I can't figure out the difference. Anyone got a clue? |
|
|
|
June 15, 2007, 19:56
|
#2 | |
|
Veteran
Join Date: Apr 2007
Posts: 1,951
Donated: $40
|
Quote:
BSD man page for setegid Linux man page for setegid The Rationale section of the Open Group's setuid man page seems to explain it, but I haven't got the time right now to read it properly This slide references a paper (PDF) which explains everything in a much lengthier fashion, which I might print out tonight and read. |
|
|
|
|
|
June 20, 2007, 14:43
|
#3 | |
|
Veteran
Join Date: Apr 2007
Posts: 1,951
Donated: $40
|
Quote:
SAFE_SETUID_POSIX means "comply with the POSIX standard", but it's actually less secure than not having SAFE_SETUID_POSIX defined -- setregid has the better semantics over setgid, but it's not POSIX. This is therefore a better (I think) formulation of safe_setuid_grab(): EDIT: simplify code Code:
void safe_setuid_grab(void)
{
#ifdef SET_UID
# if defined(HAVE_SETREGID)
if (setregid(getegid(), getgid()) != 0)
quit("setregid(): cannot set permissions correctly!");
# elif defined(HAVE_SETEGID)
if (setegid(player_egid) != 0)
quit("setegid(): cannot set permissions correctly!");
# else
if (setgid(player_egid) != 0)
quit("setgid(): cannot set permissions correctly!");
# endif /* HAVE_SETEGID */
#endif /* SET_UID */
}
Last edited by takkaria; June 20, 2007 at 18:04. |
|
|
|
|
|
June 20, 2007, 18:52
|
#4 | |
|
Swordsman
Join Date: May 2007
Posts: 289
|
Quote:
In order of preference, see the slide and section 8.1.1 of the pdf: 1. setresgid (Which we doesn't have code for. Note the s.) 2. setegid (Recommends setregid for cases that we doesn't use.) 3. setgid "Since setresuid has a clear semantics and is able to set each user ID individually, it should always be used if available. Otherwise, to set only the effective uid, se- teuid(new euid) should be used; .... setuid should be avoided ...." |
|
|
|
|
|
June 20, 2007, 18:55
|
#5 |
|
Swordsman
Join Date: May 2007
Posts: 289
|
The code should look like this, note the changes in the first part in bold:
Code:
void safe_setuid_grab(void)
{
#ifdef SET_UID
# if defined(HAVE_SETRESGID)
if (setresgid(-1, player_egid, -1) != 0)
quit("setresgid(): cannot set permissions correctly!");
# elif defined(HAVE_SETEGID)
if (setegid(player_egid) != 0)
quit("setegid(): cannot set permissions correctly!");
# else
if (setgid(player_egid) != 0)
quit("setgid(): cannot set permissions correctly!");
# endif /* HAVE_SETEGID */
#endif /* SET_UID */
}
|
|
|
|
|
June 20, 2007, 22:48
|
#6 | |
|
Veteran
Join Date: Apr 2007
Posts: 1,951
Donated: $40
|
Quote:
|
|
|
|
|
|
June 21, 2007, 05:08
|
#7 |
|
Scout
Join Date: May 2007
Location: California
Posts: 26
|
Beware what you do with the setuid stuff if you intend on supporting multiuser Angband on Darwin. Apple's apparently does something odd/buggy/whatever. I'm sorry that I can't tell you exactly what's wrong; we don't use setuid on ToME anymore so the issue became moot.
|
|
|
|
|
June 21, 2007, 06:46
|
#8 | |
|
Swordsman
Join Date: May 2007
Posts: 289
|
Quote:
|
|
|
|
|
|
June 21, 2007, 11:13
|
#9 | |
|
Veteran
Join Date: Apr 2007
Posts: 1,951
Donated: $40
|
Quote:
|
|
|
|
|
|
June 23, 2007, 04:41
|
#10 | |
|
Scout
Join Date: May 2007
Location: California
Posts: 26
|
Quote:
|
|
|
|
|
 |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
