Warnings under OpenBSD

Christopher R. Hertel crh at nts.umn.edu
Tue Jun 8 16:37:16 GMT 1999 

> 
> > The attitude is one of "if you don't understand it, don't ask the
> > question."
> 
> pity

Yes.  From what I understand, OpenBSD was born out of a rift within the 
NetBSD development group.  On the plus side, the OpenBSD crowd are very 
sticky about security and the product is very nice.  On the minus side, 
there is little effort at etiquette.  I have, so far, found it worth-while 
to put up with this.  Also, I'd note that they much less support than the 
Linux community, and so less time for explanations or pleasantries.

> > The mktemp() replacement mkstemp() removes the race condition my
> > returning you a file handle rather than a file name to then open().
> 
> which is no good for the way we use mktemp() in Samba. We *need* the
> filename as it gets passed back to the client so we need a real file,
> not a handle pointing at an unlinked file. We use mktemp() safely by
> including the O_EXCL bit in the open. 

Cool.

> unfortunately these sort of "dumb programmer detection" systems don't
> detect when someone is using a oft-abused function correctly, so they
> spit out warnings, which means our mailboxes fill up with people
> telling us that we have a security hole.

Now, now.  I just asked for comments.  ;)

> it's tempting to write out own mktemp() just to avoid these damn
> emails, it just seems so stupid as what we need is exactly what
> mktemp() gives, and I hate coding around idiotic warnings.

Sorry, Andrew.  Didn't know it was a hot button.

> > > lib/util_sec.o: warning: this program uses setregid(), which is deprecated.
> 
> does the man page say what the preferred alternative to setregid() is
> for OpenBSD?

The OpenBSD man page for setregid() says this:

"The setregid() function was intended to allow swapping the real and 
effective group IDs in set-group-ID programs to temporarily relinquish 
the set-group-ID value.  This function did not work correctly, and its 
purpose is now better served by the use of the setegid() function (see 
setuid(2))."

Urq.

Full manual page info available at: http://www.openbsd.org/cgi-bin/man.cgi

> the irony is that we started using setregid() when available because
> other OSes deprecated the use of setegid() and instead encouraged
> setregid().

...and OpenBSD does the opposite.  I'd be interested to know what 
"doesn't work correctly" regarding setreguid().  I'll ask (and then 
immediately duck for cover).

Chris -)-----

-- 
             -- I have a shoehorn, the kind with teeth. --
                                  ---
Christopher R. Hertel -)-----                   University of Minnesota
crh at nts.umn.edu              Networking and Telecommunications Services

More information about the samba-technical mailing list