develooper Front page | perl.perl5.porters | Postings from February 2011

Re: setuid and serious trouble (Re: Time to update POSIX.pm?)

Thread Previous | Thread Next
From:
Leon Timmermans
Date:
February 3, 2011 05:07
Subject:
Re: setuid and serious trouble (Re: Time to update POSIX.pm?)
Message ID:
AANLkTi=xb_4gBVty0zhQtQZUDEBS1C88TVCHQ_f96sBM@mail.gmail.com
On Thu, Feb 3, 2011 at 11:14 AM, Mark Overmeer <mark@overmeer.net> wrote:
> Perl core has done nice work to hide OS differences when assigning
> to $< , so as module to provide POSIX functionality to as many
> platforms as possible, we probably can better replace the private
> XS call with
>   sub setuid($) { $< = $_[0] }

That is *not* what setuid(2) does. That would be violating people's
expectations (and indirectly the standard). Worse yet, that would
break people's code and open security holes. setuid is a mess, but
let's not redefine what the function does.

> What bothers me more, is that the POSIX standard has a separate setuid,
> seteuid and setreuid, but the POSIX module only provides one of them
> and implements it differently. Probably in a pre-SysV or BSD way, not
> POSIX 2001

The module doesn't fully document how the function may behave, but
it's not violating the standard in behavior.

> Both sentences are incorrect.  More correct on the moment:
>
>   The POSIX module provides a subset of the System Interface specification
>   POSIX 1003.1. Some of these functions directly map onto Perl functions
>   with the same name (but often more powerful behavior) and many will
>   croak because they are not relevant to Perl.

Agreed.

Leon

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About