[PATCH] Fake POSIX behaviour in seteuid/setegid

Corinna Vinschen vinschen@redhat.com
Fri Sep 24 08:06:00 GMT 2004

Hi Pierre,

On Sep 23 22:35, Pierre A. Humblet wrote:
> At 06:25 PM 9/23/2004 +0200, Corinna Vinschen wrote:
> >[about security fake]
> The patch does what you describe. The gid patch does not allow privileged
> users to change the gids any way they want, which is unusual.

Hmm, well, yes.  Changing the gid should be possible as often as you like
as long as your real or effective uid is equal to the original uid.
So, if we follow this through, the test in gid should check for the uid,
not the gid.  That would come closer, wouldn't it?

> What surprised me is that OpenSSH takes the trouble to check if reversion is
> impossible, although it's the standard POSIX behavior (well, not quite. POSIX
> mentions "appropriate privileges" of the process). There must be cases where
> it can be a problem. I assume it's not risky in Cygwin, because there will 
> soon be an exec that will insure security.

Note that this code is not only in portable OpenSSH, but also in the
stock OpenBSD version!

OpenSSH == paranoia :-)

> Given that there might be issues, I think it's not good practice to mask the
> real behavior when programs try to find what it is.


Actually it was a team member of the OpenSSH team who asked me in PM,
what stops Cygwin to enforce this.  The argumentation was based on
portability, not on security.

I'm also not entirely convinced that this step is really going into
the right direction.  But I thin we should look on both sides of the
medal :-)

> Let me sleep on this!



Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          mailto:cygwin@cygwin.com
Red Hat, Inc.

More information about the Cygwin-patches mailing list