Opinion on checking return value of setuid(getuid())?

Erik Cederstrand erik at cederstrand.dk
Tue Oct 2 12:38:22 UTC 2012


Den 01/10/2012 kl. 13.55 skrev Eitan Adler <lists at eitanadler.com>:

> On 1 October 2012 07:08, Konstantin Belousov <kostikbel at gmail.com> wrote:
>> I do not believe in the dreadful 'flood ping' security breach. Is a
>> local escalation possible with non-dropped root ?
> 
> It is clearly a local escalation: a non-root user can do something
> which was intended only for root. It is a different question how
> serious the breach is.

Are there any objections to the path I attached in my first post? To the approach in general? If not, I'll send a PR so it doesn't get lost.

Thanks,
Erik


More information about the freebsd-security mailing list