Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cbosgd!gatech!ut-sally!std-unix
From: std-unix@ut-sally.UUCP (Moderator, John Quarterman)
Newsgroups: mod.std.unix
Subject: Re:  Clearing environment on exec of setuid process
Message-ID: <4128@ut-sally.UUCP>
Date: Thu, 6-Feb-86 08:01:32 EST
Article-I.D.: ut-sally.4128
Posted: Thu Feb  6 08:01:32 1986
Date-Received: Fri, 7-Feb-86 21:09:54 EST
References: <4106@ut-sally.UUCP> <4029@ut-sally.UUCP>
Organization: IEEE/P1003 Portable Operating System Environment Committee
Lines: 28
Approved: jsq@sally.UUCP

Date: Wed, 5 Feb 86 08:12:33 pst
>From: seismo!sun!rtech!daveb (Dave Brower)
Organization: Relational Technology Inc, Alameda CA

At first glance I thought clearing the environment on the exec of a setuid
program might be OK, but it seems full of awkward side effects.

For instance, I could not have one of my favorite programs, nasty, that
runs setuid root and then execs the remainder of its arguments with
a negative nice value.  The real child process would never be able to
get a reasonable environment.

The answer is only to do limited operations when in setuid.  The best
way to do this would be to allow processes to painlessly shift back and
forth between their real-uid and effective-uid.  This is allowed, but
not documented on BSD, but appears not to be allowed at all on SV.
This way, you can have your one section that need to run setuid be setuid
whenver needed, while running as the real user the reset of the time.

Lastly, you really need to be able to set fixed priorities rather than
just nice values so things like a memory/cpu pig server process can avoid
getting bumped.  Convex did this by making nice values < -20 and > +20
be a fixed priority.  This seems quite reasonable, and lets a 'nasty'
root program set the fixed high priority.

-dB

Volume-Number: Volume 5, Number 39