Thomas Bushnell BSG, le Tue 29 Aug 2006 11:58:43 -0700, a écrit : > Samuel Thibault <[EMAIL PROTECTED]> writes: > > > Roland McGrath, le Mon 28 Aug 2006 17:34:24 -0700, a écrit : > >> It sounds like you are describing the intended behavior. > >> You can't send a signal to a setuid program with kill. > > > > For a process to have permission to send a signal to a process designated > > by pid, unless the sending process has appropriate privileges, the real or > > effective user ID of the sending process shall match the real or saved > > set-user-ID of the receiving process. > > > > And setuid programs keep the real user ID set to Joe user's, so that Joe > > user can kill the program he launches. > > This is not quite correct. > > Most setuid programs do *not* keep the real user ID alone; instead, > the explicitly change it to match the effective user ID. This is > important.
Setuid programs themselves might, yes. But the system mustn't change it itself (Hurd's proc correctly doesn't). Because some programs other than passwd (an X server for instance) need to be killable by the very user that started it (via xinit). > If the "passwd" program could be interrupted at will be > its caller, for example, then it might leave an incompletely written > and locked password file around. Agreed. But posix says (and some setuid programs rely on this) that by default, a setuid program can be killed by the user who launched it. Samuel _______________________________________________ Bug-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/bug-hurd
