Newsgroups: news.software.b
Path: utzoo!geoff
From: geoff@zoo.toronto.edu (Geoffrey Collyer)
Subject: Re: C News and setuid(geteuid)
Message-ID: <1991Feb2.060633.23602@zoo.toronto.edu>
Organization: U of Toronto Zoology
References: <NEULYNNE.91Feb1154357@uts.uni-c.dk>
Date: Sat, 2 Feb 1991 06:06:33 GMT

Mogens Lynnerup:
> In relay/relaynews.c C News wants to do a setuid(geteuid). Could someone
> please tell me reason for this. Why does one want to set the real uid to the
> effective?

Some older Unixes, notably V7 and probably System III, present a problem
when trying to make a directory from a setuid program.  There is no mkdir
system call and the mkdir command is setuid-root and chowns the resultant
directory to its real uid.  A setuid program such as relaynews invoking a
setuid-root mkdir command will result in mkdir chowning the directory to
relaynews's real uid, not its effective uid ("news"), which will probably
cause the resultant directory to be unwritable by relaynews.  At least on
4BSD and our local V7 systems at the time, setuid(geteuid()) makes
relaynews's real uid "news" and thus mkdir gets the ownership right.

> On our machine, an Amdahl running UTS (some kind of Sys 5.3), it doesn't
> work, and so far i've only found one machine, an Alliant FX8 running BSD,
> where it works. I've tried an IBM RS/6000 running AIX 3.1, an Apollo
> DN3500 running Domain/OS 10.2 and a Silicon Graphics running IRIX System
> V.3.

Years ago, when relaynews was written, it appeared that all modern Unixes
were permitting setuid(geteuid()) and doing the obvious and sensible
thing.  Alas, that was before the SVID and SysV (and now POSIX) went mad
and started inventing saved-userid-at-exec and other cracked schemes for
muddying a previously clean and simple mechanism for the sake of some
ill-defined and small class of problems.  We don't have many pure System
V's around here, since our machines tend to need TCP/IP and Ethernet
support, so it's hard to be sure just *what* a modern System V does with
setuid(geteuid()), but judging from the complaints we have had, it
doesn't set the real uid (i.e. it botches the setuid() call) or getuid()
doesn't return the real uid (a different botch).

I'm getting tired of the increasing breakage in SysV and the standards,
so I'm retreating further and further from the exotic periphery of Unix
system calls to avoid being bitten as standards organisations break
promises made by Unix to programmers over at least the last 15 years
(`existing practice: just say no').  My current plan is to get rid of
all uid setting in relaynews and setnewsids and require that relaynews
always be invoked with real uid of "news" (or local equivalent).  This
will have the beneficial side-effects of eliminating a build question,
simplifying relaynews and fixing a festering portability problem.
-- 
Geoff Collyer		utzoo!geoff, zoo.toronto.edu!geoff
