Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: FozZy (fozzy_at_dmpfrance.com)
Date: Fri Jul 19 2002 - 07:15:54 CDT
Thanks to everyone for your answers. To sum up:
- this is correct standard unix98 behavior
- the linux setgid manpage is wrong.
Hey, sorry for pointing out a vulnerability in a manpage :p
Better to know that. set*id calls are tricky. I had checked the FreeBSD behavior, it was the same as what both linux and freebsd manpage told: "the setgid() function sets the real and effective group IDs and the saved set-group-ID of the current process to the specified value", no matter what the user id is (super-user or not).
I now realize that both behaviors are acceptable:
- FreeBSD setgid syscall is "POSIX1 compliant with _POSIX_SAVED_IDS *not* defined with the Appendix B.4.2.2 permitted extensions".
- Linux uses more current standards (but should update its manpage; so beware when porting FreeBSD apps to linux ;)
Hackademy & Hackerz Voice Director
PS: Such an error in a manpage, for people (like me) who are not standard unix98 gurus, is dangerous.
For developpers of course, but i am also thinking about system administrators trying to set up a more secure system by removing the setuid bit from some programs, and tuning file permissions (and maybe hacking a bit the program) so that the setgid bit only makes the job. I used to do that. It could actually result in lower security !