Implement code for an OpenBSD-style issetuigid().

This is valueable for library code which needs to be able to find out
whether the current process is or *was* set[ug]id at some point in the
past, and may have a "tainted" execution environment.  This is especially
a problem with the trend to immediately revoke privs at startup and regain
them for critical sections.  One problem with this is that if a cracker
is able to compromise the program while it's still got a saved id, the
cracker can direct the program to regain the privs.  Another problem is
that the user may be able to affect the program in some other way (eg:
setting resolver host aliases) and the library code needs to know when it
should disable these sorts of features.

Reviewed by: ache
Inspired by: OpenBSD (but with a different implementation)

1 files changed, 26 insertions, 1 deletions

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index b408029..d1c4db4 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -36,7 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)kern_prot.c	8.6 (Berkeley) 1/21/94
- * $Id: kern_prot.c,v 1.29 1997/03/31 13:41:49 peter Exp $
+ * $Id: kern_prot.c,v 1.30 1997/03/31 13:47:00 peter Exp $
  */
 
 /*
@@ -674,6 +674,31 @@ setregid(p, uap, retval)
 	return (0);
 }
 
+#ifndef _SYS_SYSPROTO_H_
+struct issetugid_args {
+	int dummy;
+};
+#endif
+/* ARGSUSED */
+int
+issetugid(p, uap, retval)
+	register struct proc *p;
+	struct issetugid_args *uap;
+	int *retval;
+{
+	/*
+	 * Note: OpenBSD sets a P_SUGIDEXEC flag set at execve() time,
+	 * we use P_SUGID because we consider changing the owners as
+	 * "tainting" as well.
+	 * This is significant for procs that start as root and "become"
+	 * a user without an exec - programs cannot know *everything*
+	 * that libc *might* have put in their data segment.
+	 */
+	if (p->p_flag & P_SUGID)
+		return (1);
+	return (0);
+}
+
 /*
  * Check if gid is a member of the group set.
  */