On Mon, 4 Sep 2000, Greg A. Woods wrote:
> With seteuid() [and its earlier form setreuid()] it has been found to be
> possible, on several types of systems, for an ordinary user to modify
> the process, or play other tricks, during the time when it has dropped
> its privileges such that when it regains its privileges (either in the
> normal fashion, or now in the control of the user) it will perform
> actions that the programmer had not intended.
Sure. But in the case of Exim's use of seteuid, the alternative is to
let it run on as root, but otherwise run exactly the same code. If the
user can modify the process address space, they are going to be able to
break things just as easily. I think what I am saying is that Exim's use
of seteuid is not for protection against users, but for protection
against itself. For protection against users, it uses setuid.
This has been a useful discussion. It has further clarified my thinking
about these issues. When I get to considering some long-term strategy
for Exim, I'll think further about this.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.