Guide to writing secure setuid programs?

Fri Mar 18 07:34:49 AEST 1988

> And, of course, the general rule is not to write setuid programs
> in the first place, but that has been handled by other people.

One question I have:  To my knowledge, there does not actually exist a way
to "write a setuid program".

Yes, of course, I know how to type:
	chmod 6755 foo
I claim that this does not constitute "writing a setuid program".  What it
does is take an existing non-setuid program (that is already written and
compiled) and make it into a setuid program.  But when the programmer wrote
it, it wasn't setuid.

Lest people think I am being facetious, I'd like to point out that there
is an important point at work here.  When writing a program, I don't know
whether it will be setuid.  So how can I follow the above advice? (Obviously, 
by not writing any programs! :-)  When I write a line of code, how do I 
determine whether it is in a setuid program?

There is one sense in which I could conceive of actually writing a setuid
program.  If there were a way to test at run time whether the program (well,
actually the process, but you know what I mean) is setuid:

	if (setuid(getpid())) {
		<<Don't do a bunch of stuff>>
	} else {
		<<Go ahead and do them>>
	}

Can anyone show me the source for setuid()?  I suspect that you can't,
but I'd like someone to explain how stupid I'm being and how easy it is.

For a further argument, consider the alternative:

	#if SETUID
		<<Don't do a bunch of stuff>>
	#else
		<<Go ahead and do them>>
	#endif

I contend that there is no way for the C preprocessor to correctly 
implement the above #if command.  I'd be very interested in being
proved incorrect.