[Bug 715] usage of BROKEN_SETREUID/BROKEN_SETREGID considered harmful

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Sep 26 02:43:02 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=715





------- Additional Comments From Robert.Dahlem at siemens.com  2003-09-26 02:43 -------
First of all: I didn't want to sound offensive. If I sounded that way then
please excuse, it's probably due to English not being my mother tongue.

I'm sorry I wasn't available for testing before the release although I'm
subscribed to the mailinglist too. But please: My job is to care for bind,
sendmail, httpd, squid, OpenSSH and some dozens of other packages while caring
for some dozens of systems and applications in production. According to the rule
"If it ain't broke: don't fix it" my policy is to upgrade only when new
functions are desired or vulnerabilities get known. "I'm sorry if people expect
me to test every software package pre-releases under the sun, but it is
impossible". :-)

I contribute ReliantUnix patches as soon as I have them. And I try to contribute
opinion. In this case my opinion is that setreuid() has a long, sad story of OSs
implementing it in a way OpenSSH considers broken. Well, then it seems not to be
a good idea to consider it working unless someone proves it's broken.

Now for something different: According to my - probably limited - knowledge
setreuid(x,y) is only different from setuid(x) when x!=y. Well, then why does
OpenSSH use only setreuid(x,x)? This looks like asking for trouble to me.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list