<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hello all,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">While reading the man page for getprogname(3) on NetBSD, I came across a restriction </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><span style="background-color:rgb(255,255,255)"><font color="#000000"><span style="font-variant-ligatures:no-common-ligatures;font-family:"Andale Mono";font-size:13px">RESTRICTIONS</span></font></span></div>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Andale Mono""><span style="background-color:rgb(255,255,255)"><font color="#000000"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">The string returned by </span><span class="gmail-s2" style="font-variant-ligatures:no-common-ligatures">getprogname</span><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">() is supplied by the invoking<span class="gmail_default" style="font-family:arial,helvetica,sans-serif"> </span>process<span class="gmail_default" style="font-family:arial,helvetica,sans-serif"> </span></span></font></span><span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures">and should not be trusted by </span>setuid<span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures"> or </span>setgid<span style="color:rgb(0,0,0);font-variant-ligatures:no-common-ligatures"> programs.</span></p><div><br></div><div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I don't understand how it could be exploited in a program using setuid or setgid. Does anyone have an idea?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><span class="gmail_default"><br></span></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><span class="gmail_default">Thanks,</span></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><span class="gmail_default">Aubhik Mazumdar</span></div></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div><br></div></div></div></div></div></div></div></div></div>