Clearing environment on exec of setuid process
Moderator, John Quarterman
std-unix at ut-sally.UUCP
Thu Feb 6 23:01:32 AEST 1986
Date: Wed, 5 Feb 86 08:12:33 pst
>From: seismo!sun!rtech!daveb (Dave Brower)
Organization: Relational Technology Inc, Alameda CA
At first glance I thought clearing the environment on the exec of a setuid
program might be OK, but it seems full of awkward side effects.
For instance, I could not have one of my favorite programs, nasty, that
runs setuid root and then execs the remainder of its arguments with
a negative nice value. The real child process would never be able to
get a reasonable environment.
The answer is only to do limited operations when in setuid. The best
way to do this would be to allow processes to painlessly shift back and
forth between their real-uid and effective-uid. This is allowed, but
not documented on BSD, but appears not to be allowed at all on SV.
This way, you can have your one section that need to run setuid be setuid
whenver needed, while running as the real user the reset of the time.
Lastly, you really need to be able to set fixed priorities rather than
just nice values so things like a memory/cpu pig server process can avoid
getting bumped. Convex did this by making nice values < -20 and > +20
be a fixed priority. This seems quite reasonable, and lets a 'nasty'
root program set the fixed high priority.
-dB
Volume-Number: Volume 5, Number 39
More information about the Mod.std.unix
mailing list