Alan Cox writes: > > Duncan Simpson writes: > > > ncurses version 4.1 fails to drop priviledges before opening the > > > termcap database and you can set any file(s) you like. > > > > This is not a bug. ncurses is a *library*, not a *program*. It is up > > to suid programs to drop privileges, not every call that invokes them -- > > or are you going to declare the fact that fopen() doesn't drop > > privileges a "bug"? > > Depends how you care to look at it. I can agree with your reasoning. > > In which case there is a bug in > screen (as root so very bad) > dosemu > mutt > several bsd-games packages There are indeed many such bugs. SUID programs should drop privs almost immediately. The number of possible places such issues can lurk is semi-infinite. You'll never get all of them. You *can*, however, drop privs almost instantly. > anywhere on the planet today. Also of course any setuid/setgid applications > using NLS or TZ. The latter is far nastier because > > 1. The libraries will use message catalogs and may open them before > you do In NetBSD, the message catalogs we use don't work that way, so I suppose I'm not familiar with this issue. > 2. If you are using C++ your constructors can't call libc in this case > as the order of constructors isnt defined ??? Why not just drop privs at the beginning as you are supposed to? > 4. Dropping TZ or NLS when setuid is really obnoxious - Japanese users > will love having mutt, screen, and things like su in English. So don't drop them -- drop privs *first*. Sigh. Perry
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:24 PDT