Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)

[avalon () COOMBS ANU EDU AU (Darren Reed)]

On Tue, 5 Jan 1999, D. J. Bernstein wrote:

> Venema further claims that ``a set-uid posting program cannot guarantee
> user identification.'' That claim is false. The user id is provided by
> the standard UNIX getuid() system call.


Just to be pedantic, Venema is correct.  "User identification" is a lot
more than just a getuid() system call as I'm sure you would be well aware.

If I find some other avenue to obtain a different uid to the one I normally
use, i.e. exploit some other setuid-root program, getuid() will (if I've
done my homework) thereafter fail to identity correctly which user is
sending the email.

A userid is provided by getuid() but it does not identify the user, just
the system's internal owner of the process.  Even then, there are better
choices than getuid() (depending on your POV) to determine "who" the user
"is".  For example, in any situation where a password is shared (i.e. the
root password), it is not sufficient to identify a user by uid.

Maybe getuid() is the "best" you can do, maybe not.  A lot of the OS's
these days have some sort of audit id which is sometimes less flexible
than uid's when it comes to change.

When all email is cryptographically signed (and signitures enforced)
with keys that are not trivial to guess and aren't easily forged, then
we will have a better chance of being assured of a "user's identity".