Re: High UID support for Linux

H. Peter Anvin (hpa@transmeta.com)
2 Dec 1998 20:12:27 GMT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Pavel Machek: "Re: Internationalizing Linux"
Previous message: Mike Sackton: "Re: NTP dumps Linux, film at 11. [Fwd/FYI]"

Followup to: <199812021313.OAA05762@pallas.spacetec.no>
By author: tor@spacetec.no (Tor Arntsen)
In newsgroup: linux.dev.kernel
>
> In article <fa.j1u4o4v.dm8rj1@ifi.uio.no>,
> hpa@transmeta.com (H. Peter Anvin) writes:
> >It's also important to recognize that using getpwent to extract one's
> >own home directory is *WRONG*. HOME and USER may point to a different
> >place/user than getuid() and getpwuid(getuid()) will give you; this is
> >quite common for setuid programs and when using su -m.
>
> but HOME and USER can't be used in all situations. If a setuid program
> changes the uid and starts another program (as is the case in a project
> I'm on, the customer uses one setuid program to start all the other
> apps, each with their own uid) then HOME and USER etc. is obviously wrong
> for those applications, unless the setuid program explicitly sets those
> variables (our customers application doesn't).
>
> It all depends on what you define as your 'own home directory'.
>
> - Tor
> (Disclaimer: I haven't followed this High UID thread so I'm only commenting
> that particular statement about HOME, I may be ignorant about something in
> the larger picture which may make my comment irrelevant.. if so pls ignore :-)
>

Then your customer's program is buggy, unless it intends to refer to
the HOME and USER of the *user who started the setuid program*.

Of course, getuid() and friends are appropriate for determining *what
privileges am I running under*, which is different from *what user is
operating this session.*

-hpa

-- 
    PGP: 2047/2A960705 BA 03 D3 2C 14 A8 A8 BD  1E DF FE 69 EE 35 BD 74
    See http://www.zytor.com/~hpa/ for web page and full PGP public key
        I am Bahá'í -- ask me about it or see http://www.bahai.org/
   "To love another person is to see the face of God." -- Les Misérables

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: Internationalizing Linux"
Previous message: Mike Sackton: "Re: NTP dumps Linux, film at 11. [Fwd/FYI]"