Newsgroups: news.software.b Path: utzoo!geoff From: geoff@zoo.toronto.edu (Geoffrey Collyer) Subject: Re: C News and setuid(geteuid) Message-ID: <1991Feb2.060633.23602@zoo.toronto.edu> Organization: U of Toronto Zoology References: Date: Sat, 2 Feb 1991 06:06:33 GMT Mogens Lynnerup: > In relay/relaynews.c C News wants to do a setuid(geteuid). Could someone > please tell me reason for this. Why does one want to set the real uid to the > effective? Some older Unixes, notably V7 and probably System III, present a problem when trying to make a directory from a setuid program. There is no mkdir system call and the mkdir command is setuid-root and chowns the resultant directory to its real uid. A setuid program such as relaynews invoking a setuid-root mkdir command will result in mkdir chowning the directory to relaynews's real uid, not its effective uid ("news"), which will probably cause the resultant directory to be unwritable by relaynews. At least on 4BSD and our local V7 systems at the time, setuid(geteuid()) makes relaynews's real uid "news" and thus mkdir gets the ownership right. > On our machine, an Amdahl running UTS (some kind of Sys 5.3), it doesn't > work, and so far i've only found one machine, an Alliant FX8 running BSD, > where it works. I've tried an IBM RS/6000 running AIX 3.1, an Apollo > DN3500 running Domain/OS 10.2 and a Silicon Graphics running IRIX System > V.3. Years ago, when relaynews was written, it appeared that all modern Unixes were permitting setuid(geteuid()) and doing the obvious and sensible thing. Alas, that was before the SVID and SysV (and now POSIX) went mad and started inventing saved-userid-at-exec and other cracked schemes for muddying a previously clean and simple mechanism for the sake of some ill-defined and small class of problems. We don't have many pure System V's around here, since our machines tend to need TCP/IP and Ethernet support, so it's hard to be sure just *what* a modern System V does with setuid(geteuid()), but judging from the complaints we have had, it doesn't set the real uid (i.e. it botches the setuid() call) or getuid() doesn't return the real uid (a different botch). I'm getting tired of the increasing breakage in SysV and the standards, so I'm retreating further and further from the exotic periphery of Unix system calls to avoid being bitten as standards organisations break promises made by Unix to programmers over at least the last 15 years (`existing practice: just say no'). My current plan is to get rid of all uid setting in relaynews and setnewsids and require that relaynews always be invoked with real uid of "news" (or local equivalent). This will have the beneficial side-effects of eliminating a build question, simplifying relaynews and fixing a festering portability problem. -- Geoff Collyer utzoo!geoff, zoo.toronto.edu!geoff