Path: utzoo!attcan!uunet!husc6!bbn!uwmcsd1!uxc!tank!nucsrl!gore From: gore@eecs.nwu.edu (Jacob Gore) Newsgroups: comp.bugs.4bsd Subject: Real GID must not be forced into group list Message-ID: <3830002@eecs.nwu.edu> Date: 17 Sep 88 20:01:03 GMT Organization: Northwestern U, Evanston IL, USA Lines: 94 In 4.3BSD, the real gid is automatically a member of the group list. This is a mistake. It makes setregid(2) and access(2) useless. This example (derived from a real problem I ran into) illustrates this problem: ---------------------------------- gore 2> cat test2.c #include #include main(){ int ret; uid_t ruid, euid; gid_t rgid, egid; ruid=getuid(); rgid=getgid(); euid=geteuid(); egid=getegid(); setreuid(euid, ruid); setregid(egid, rgid); printf("uid=%d,\tgid=%d;\t\teuid=%d,\tegid=%d\n", getuid(), getgid(), geteuid(), getegid()); if (open("/tmp/jjj/aaa", O_RDWR|O_APPEND|O_CREAT, 0777) < 0) { perror("file"); } setreuid(ruid, euid); setregid(rgid, egid); printf("uid=%d,\tgid=%d;\t\teuid=%d,\tegid=%d\n", getuid(), getgid(), geteuid(), getegid()); } gore 2> ls -lg a.out -rwxr-sr-x 1 notes notes 11264 Sep 17 14:38 a.out gore 2> ls -lgd /tmp/jjj drwxrwxr-x 2 notes notes 512 Sep 17 14:39 /tmp/jjj gore 2> ls -lg /tmp/jjj total 0 gore 2> whoami gore gore 2> groups staff msgs tex lab gore 2> ./a.out uid=10003, gid=7; euid=10003, egid=100 uid=10003, gid=100; euid=10003, egid=7 gore 2> ls -lg /tmp/jjj total 0 -rwxr-xr-x 1 gore notes 0 Sep 17 14:40 aaa gore 2> ---------------------------------- The setregid() call does nothing to change the process's access privileges! The privileges are in effect those provided by the union of real gid, effective gid, and the group list, so swapping the real and the effective gid's does nothing but change the names of the slots they are stored in. This is more than just a problem with setregid() -- it also breaks access(), as shown in the next test program: ---------------------------------- gore 2> cat test.c #include main(){ int ret; if (access("/tmp/jjj/aaa", W_OK) < 0) perror("file"); if (access("/tmp/jjj", W_OK) < 0) perror("directory"); } gore 2> ls -lg a.out -rwxr-sr-x 1 notes notes 6144 Sep 17 14:52 a.out gore 2> ls -lgd /tmp/jjj drwxrwxr-x 2 notes notes 512 Sep 17 14:40 /tmp/jjj gore 2> ls -lg /tmp/jjj total 0 gore 2> whoami gore gore 2> groups staff msgs tex lab gore 2> ./a.out file: No such file or directory gore 2> ---------------------------------- This program should have executed both the 'perror("file")' AND the 'perror("directory")', because gore/{staff,msgs,tex,lab} is not allowed to write in /tmp/jjj. I thank Chris Torek and Naim Abdullah for helping me pinpoint this problem. Jacob Gore Gore@EECS.NWU.Edu Northwestern Univ., EECS Dept. {oddjob,gargoyle,att}!nucsrl!gore