Thanks to everyone for your answers. To sum up: - this is correct standard unix98 behavior - the linux setgid manpage is wrong. Hey, sorry for pointing out a vulnerability in a manpage :p Better to know that. set*id calls are tricky. I had checked the FreeBSD behavior, it was the same as what both linux and freebsd manpage told: "the setgid() function sets the real and effective group IDs and the saved set-group-ID of the current process to the specified value", no matter what the user id is (super-user or not). I now realize that both behaviors are acceptable: - FreeBSD setgid syscall is "POSIX1 compliant with _POSIX_SAVED_IDS *not* defined with the Appendix B.4.2.2 permitted extensions". - Linux uses more current standards (but should update its manpage; so beware when porting FreeBSD apps to linux ;) FozZy Hackademy & Hackerz Voice Director PS: Such an error in a manpage, for people (like me) who are not standard unix98 gurus, is dangerous. For developpers of course, but i am also thinking about system administrators trying to set up a more secure system by removing the setuid bit from some programs, and tuning file permissions (and maybe hacking a bit the program) so that the setgid bit only makes the job. I used to do that. It could actually result in lower security !
This archive was generated by hypermail 2b30 : Fri Jul 19 2002 - 08:54:01 PDT