The safe_setuid code

**takkaria** · June 15, 2007, 19:56

Originally posted by CJNyfalt

The safe_setuid_drop and safe_setuid_grab functions have a ridiculous number of ifdefs.

I suggests that at least SAFE_SETUID and SAFE_SETUID_POSIX is turned on permanently. For the first one, I see no reason to turn it off and for the second one, we assume in all other places that all Unix systems are Posix compatible by now.

Finally there is setegid vs setgid. Reading the manpages I can't figure out the difference. Anyone got a clue?

I'll have a look into these; for now, I googled up the following which look useful:

BSD man page for setegid
Linux man page for setegid

The Rationale section of the Open Group's setuid man page seems to explain it, but I haven't got the time right now to read it properly

This slide references a paper (PDF) which explains everything in a much lengthier fashion, which I might print out tonight and read.

**takkaria** · June 20, 2007, 14:43

Originally posted by takkaria

This slide references a paper (PDF) which explains everything in a much lengthier fashion, which I might print out tonight and read.

After reading the above paper and coming out a little confused still:

SAFE_SETUID_POSIX means "comply with the POSIX standard", but it's actually less secure than not having SAFE_SETUID_POSIX defined -- setregid has the better semantics over setgid, but it's not POSIX. This is therefore a better (I think) formulation of safe_setuid_grab():

EDIT: simplify code

Code:

void safe_setuid_grab(void)
{
#ifdef SET_UID
# if defined(HAVE_SETREGID)

	if (setregid(getegid(), getgid()) != 0)
		quit("setregid(): cannot set permissions correctly!");

# elif defined(HAVE_SETEGID)

	if (setegid(player_egid) != 0)
		quit("setegid(): cannot set permissions correctly!");

# else

	if (setgid(player_egid) != 0)
		quit("setgid(): cannot set permissions correctly!");

# endif /* HAVE_SETEGID */
#endif /* SET_UID */
}

**CJNyfalt** · June 20, 2007, 18:52

Originally posted by takkaria

This slide references a paper (PDF) which explains everything in a much lengthier fashion, which I might print out tonight and read.

You have to take a second look. The paper recommends using setresuid, which is not setreuid. See section 4.4.
In order of preference, see the slide and section 8.1.1 of the pdf:
1. setresgid (Which we doesn't have code for. Note the s.)
2. setegid (Recommends setregid for cases that we doesn't use.)
3. setgid

"Since setresuid has a clear semantics and is able to set
each user ID individually, it should always be used if
available. Otherwise, to set only the effective uid, se-
teuid(new euid) should be used; ....

setuid should be avoided ...."

**CJNyfalt** · June 20, 2007, 18:55

The code should look like this, note the changes in the first part in bold:

Code:

void safe_setuid_grab(void)
{
#ifdef SET_UID
# if defined([b]HAVE_SETRESGID[/b])

	if ([b]setresgid(-1, player_egid, -1)[/b] != 0)
		quit("[b]setresgid()[/b]: cannot set permissions correctly!");

# elif defined(HAVE_SETEGID)

	if (setegid(player_egid) != 0)
		quit("setegid(): cannot set permissions correctly!");

# else

	if (setgid(player_egid) != 0)
		quit("setgid(): cannot set permissions correctly!");

# endif /* HAVE_SETEGID */
#endif /* SET_UID */
}

**takkaria** · June 20, 2007, 22:48

Originally posted by CJNyfalt

The code should look like this, note the changes in the first part in bold:

(snip)

Got it, thanks. As I said, I came out confused.

**Neil Stevens** · June 21, 2007, 05:08

Beware what you do with the setuid stuff if you intend on supporting multiuser Angband on Darwin. Apple's apparently does something odd/buggy/whatever. I'm sorry that I can't tell you exactly what's wrong; we don't use setuid on ToME anymore so the issue became moot.

**CJNyfalt** · June 21, 2007, 06:46

Originally posted by Neil Stevens

Beware what you do with the setuid stuff if you intend on supporting multiuser Angband on Darwin. Apple's apparently does something odd/buggy/whatever. I'm sorry that I can't tell you exactly what's wrong; we don't use setuid on ToME anymore so the issue became moot.

What do you then do with high-scores (and player ghosts if you have them)? Private for each user or none at all?

**takkaria** · June 21, 2007, 11:13

Originally posted by Neil Stevens

Beware what you do with the setuid stuff if you intend on supporting multiuser Angband on Darwin. Apple's apparently does something odd/buggy/whatever. I'm sorry that I can't tell you exactly what's wrong; we don't use setuid on ToME anymore so the issue became moot.

I don't intend to support multiuser Angband on Darwin, so it's all good.

**Neil Stevens** · June 23, 2007, 04:41

Originally posted by takkaria

I don't intend to support multiuser Angband on Darwin, so it's all good.

People with X servers will be sad, heh.

**takkaria** · June 23, 2007, 12:20

Originally posted by Neil Stevens

People with X servers will be sad, heh.

Why?

We have a native port for OS X...

**Neil Stevens** · June 26, 2007, 03:25

Originally posted by takkaria

Why?

We have a native port for OS X...

Xserve systems are just Darwin-based servers, so I assume there will be people who will want to log in and run Angband over ssh the way they'd do so on any other unix server.

It's certainly not a common case, and certainly one we're dropping in ToME, but Angband's different, heh.

The safe_setuid code

The safe_setuid code

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment