Re: dropping setuid/setgid privileges

[Bruno Haible]

Sam Steingold wrote:
> so, you are _intentionally_ making your code useless to me because you
> _think_ it is not appropriate for me to use it.
> the net result is that I will be using a worse piece of code instead
> of your good code, and my users will be _less_ secure as a result of
> your grandstanding.

You are still confusing two separate issues.

  1) Putting routines that drop setuid/setgid privileges into a library
     is a recipe for provoking security vulnerabilities. This is true
     regardless whether you use my code for doing this, or yours or
     anyone else's, and regardless whether it uses abort() or not.
     Please read the comments in idpriv.h again.

  2) Whether the functions call abort() or return a particular error code,
     is a matter of API design. I think the choice I made is right, because
     it uses abort() exactly for the purpose for which it was designed.
     (This is independent of the library vs. executable issue: many
     libraries, including glibc, also use abort().)
     You can locally replace the abort() calls by anything you like, using
     gnulib-tool --local-dir [1][2].

Bruno


[1] http://www.gnu.org/software/hello/manual/gnulib/Openness.html
[2] http://lists.gnu.org/archive/html/bug-gnulib/2006-07/msg00319.html