Re: ncurses 4.1 security bug

[alan () LXORGUK UKUU ORG UK (Alan Cox)]

> SUID programs should drop privs almost immediately. The number of
> possible places such issues can lurk is semi-infinite. You'll never
> get all of them. You *can*, however, drop privs almost instantly.

Almost is often the killer. On the rest of the issues Im sure you are
preaching to the choir right now

> > 1.  The libraries will use message catalogs and may open them before
> >     you do
>
> In NetBSD, the message catalogs we use don't work that way, so I
> suppose I'm not familiar with this issue.

Does libc load message databases of your choice - like say /dev/tape ? The
problems are those of dropping privliedges early enough. As to the bug list
thats real apps that need fixing - and should be fixed regardless of whether
people bandaid ncurses.

> > 2.  If you are using C++ your constructors can't call libc in this case
> >     as the order of constructors isnt defined
>
> ???
>
> Why not just drop privs at the beginning as you are supposed to?

In C++ _you cant_

C++ global object constructors are called in pretty much arbitary order before
main() is entererd.

Its an interesting reason not to write setuid apps in C++ 8)