About setreuid() and setresuid()


From: Stanislav Ievlev <inger@altlinux.ru>
Subject: About setreuid() and setresuid()
Date: Thu, 29 Mar 2001 12:19:33 +0400

Next Article (by Author): RSBAC Class Library Stanislav Ievlev
Previous Article (by Author): RSBAC vs. postfix Stanislav Ievlev
Next in Thread: Re: About setreuid() and setresuid() Amon Ott
Articles sorted by: [Date] [Author] [Subject]


This is a multi-part message in MIME format.
--------------010404070305080003010908
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi!

It's not a bug, but not correct.

System calls sys_setreuid(ruid,euid) and sys_setresuid(ruid,euid,suid) 
allow to use "-1" for parametres (e.g. sys_setreuid(-1,euid) ). Result 
of this action - nothing to change. Many programs use this feature (e.g. 
postfix, make).

But RSBAC check ruid in this calls without "-1" uid support. As a result 
we have a lot of unnecessary checkings and "NOT GRANTED" . It's also bad 
for benchmark of RSBAC systems.

I'm sending a patch for 2.4.2 kernel to make this checking more flexible.
--------------------
With best regards
Stanislav Ievlev
<inger@linux.ru.net>

--------------010404070305080003010908
Content-Type: text/plain;
 name="rsbac-ruid.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="rsbac-ruid.patch"

--- sys.c.orig	Wed Mar 28 09:45:36 2001
+++ sys.c	Thu Mar 29 11:47:10 2001
@@ -607,6 +607,9 @@
 
         /* RSBAC */
         #ifdef CONFIG_RSBAC
+	if (ruid == (uid_t) -1) {
+	    rsbac_res = 1;
+	}else{
         if (rsbac_debug_aef)
           printk(KERN_DEBUG "sys_setreuid(): calling ADF\n");
         rsbac_target_id.process = current->pid;
@@ -618,6 +621,7 @@
                                       rsbac_target_id,
                                       A_owner,
                                       rsbac_attribute_value);
+	}
         #endif
         
 	new_ruid = old_ruid = current->uid;
@@ -794,6 +798,9 @@
 
         /* RSBAC */
         #ifdef CONFIG_RSBAC
+	if (ruid == (uid_t) -1) {
+	    rsbac_res = 1;
+	}else{
         if (rsbac_debug_aef)
           printk(KERN_DEBUG "sys_setresuid(): calling ADF\n");
         rsbac_target_id.process = current->pid;
@@ -805,6 +812,7 @@
                                       rsbac_target_id,
                                       A_owner,
                                       rsbac_attribute_value);
+        }
         #endif
         
 	if (!capable(CAP_SETUID)) {

--------------010404070305080003010908--

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Author): RSBAC Class Library Stanislav Ievlev
Previous Article (by Author): RSBAC vs. postfix Stanislav Ievlev
Next in Thread: Re: About setreuid() and setresuid() Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.