In article <seVJL=_00WB_I2qoQ3@andrew.cmu.edu> Frank T Lofaro <fl0p+@andrew.cmu.edu> writes:
quoted text
>    Maybe it should be an option to set whether nosuid causes exec's of
> suid programs to either fail or run without extra priviledges.

Running suid/sgid programs without extra privileges usually has some nasty
side effects:

  - a program may fail in non-obvious ways. I've seen this several times
    where bad code doesn't check whether operations that depend on suid
    fail.
  - programs like xterm and screen may lose their ability to keep utmp
    up to date and may fail to protect ptys properly. I don't know
    whether the latter is a problem on Linux.
  - you can continue being lazy and ignore that you're running programs
    in a context they don't expect ;-)

Most importantly, nosuid (with nodev) is typically used when mounting
devices that you don't consider trustworthy, like floppy disks, archives
(via NFS), user disks in an insecure environment, etc. In those cases
it's desirable that any attempt to run suid files just returns a
complaint, because suid files aren't supposed to be on the media.

quoted text
>    Would one make that a kernel config option, a mount option, or what?

It's trivial in either way. Implementing such changes of "kernel policy"
as a config option rather than as a mount option seems to be more common,
but there's really no big difference. (Besides that you'd have to find a
new mount option name ;-)

quoted text
> There seems to be a lot of good arguments for both behaviours of nosuid.

Could somebody with access to the POSIX standard documents please have a
look at this ?

- Werner
-- 
   _________________________________________________________________________
  / Werner Almesberger, ETH Zuerich, CH      almesber@nessie.cs.id.ethz.ch /
 / IFW A44  Tel. +41 1 254 7213                 almesberger@rzvax.ethz.ch /
/_BITNET:_ALMESBER@CZHETH5A__HEPNET/CHADNET:_[20579::]57414::ALMESBERGER_/