Semantics of "seteuid(uid)" vs. "setreuid(-1,uid)"
David Schultz
das at FreeBSD.ORG
Mon Jun 7 22:10:34 GMT 2004
On Sun, Jun 06, 2004, Stefan Eer wrote:
> Any reason, that there is a difference in semantics between:
>
> seteuid(id) vs. setreuid(-1, id) ???
>
> The tests performed on the arguments are different (assuming a
> fixed arg of -1 for ruid) in that seteuid does not support the
> case of (euid == cr_uid):
> [...]
> Is the difference between seteuid() and setreuid() deliberate ?
The best rationale I can think of is that setreuid(x, geteuid())
does something useful, whereas seteuid(geteuid()) is a no-op. I
think the seteuid() behavior you complain about exists for purely
historical reasons. POSIX does not require seteuid(geteuid()) to
succeed, but it implicitly allows it as an extension. Solaris and
Linux have this extension. The trouble with tweaking the
interface is that you always have to ask: what new security holes
could this open up in existing software?
Hao Chen points out that the failure of seteuid(geteuid()) in
FreeBSD is one of many tricky issues with using the set*uid()
interface portably. In my (biased) opinion, his Setuid
Demystified paper, is well worth reading if you want to untangle
this stuff in your mind:
http://www.usenix.org/events/sec02/full_papers/chen/chen.pdf
More information about the freebsd-hackers
mailing list