POSIX Saved-Set-IDs v. System V

Guy Harris guy at auspex.uucp
Thu Aug 2 10:47:33 AEST 1990 

From:  guy at auspex.uucp (Guy Harris)

>The rationale, in B.4.2.2, claims that this functionality is derived from
>System V

It is.

>and is designed to permit the application to toggle between the
>effective ID of the process and the real ID of the process creator.

It, like the S5 functionality it is derived from, does so as long as the
process isn't set-UID "root".  POSIX just inherits S5's deficiencies
here.

>The conflict between 4.2.2.2 and System V setuid is that System V states
>
>	"If the effective user ID of the calling process is super-user,
>	 the real user (group) ID and effective user (group) ID are set
>	 to uid (gid)."

That may be what the SVID *states* (or Issue 2 states, anyway; our copy
of volume 1 has disappeared), and is what the S5R3 documentation states,
but it ain't what System V *does*.  What System V *does* is:

>and 4.2.2.2 states
>
>	"(1) If the process has appropriate privileges, the setuid()
>	 function sets the real user ID, effective user ID, and the
>	 saved set-user-ID to uid."

...precisely that.  If you do "setuid(uid)" when the effective user ID
is super-user, the saved set-user ID, as well as the real and effective
UIDs, are set to "uid".

There's no conflict between what AT&T's S5 implementation does, and what
POSIX specifies.  There may be a conflict between what the SVID, Issue
2, specifies, and what POSIX specifies, but that means there's a
conflict between what the SVID, Issue 2, specifies and what System V
does, too.  (Remember, this is UNIX; the documentation isn't the
up-to-date spec for what the system does, the code is.)

In fact, the Third Edition of the SVID finally admits that; the wording
is the same as POSIX.  The S5R4 documentation also admits the way S5 has
worked since saved set-user IDs were first introduced.

>Contrary to the rationale, this behavior does not permit the application
>to toggle between the real and saved set-user-ID unless both are not the
>super-user's ID.  So, how does an application toggle between a non-super
>user and a super-user?

The author of the application lobbies one or more of POSIX and AT&T/UI
to specify or implement "seteuid()", a call that takes one argument and
sets the effective user ID, and *ONLY* the effective user ID, to the
value of that argument, even if the process has appropriate privileges. 
Without a call like that - which some systems with saved set-user IDs,
such as SunOS 4.x, have, and which System V Release 4 may even have, but
without documentation - you're screwed. 


Volume-Number: Volume 20, Number 154

More information about the Comp.std.unix mailing list