WG15 Defect Report Ref: 9945-1-60
Topic: real UID, effective UID and saved-set UID


This is an approved interpretation of 9945-1:1990.

.

Last update: 1997-05-20


                                                                9945-1-90 #60

        Classification:  No Change  to 9945-1-90 required.
		    Investigations of the 13210 test method standard have
			identified a conflict.
 

The unambiguous situation; the standard says what it says.
However it does raise a conflict between the base standard and
the test method standard.
_____________________________________________________________________________

	Topic:			real UID, effective UID and saved-set UID
	Relevant Sections:	2.2.2.4, 5.6.4.2


Defect Report:
-----------------------

Question 1:
  Does an implementation that possesses the constraint such that:
       The process's real UID, effective UID, and
       saved-set-UID are the same for every process of a
       login session and cannot be changed by POSIX.1
       function calls.
  conform to ISO/IEC 9945-1:1990.


Question 2:
  When both POSIX.1 conformance and _POSIX_SAVED_IDS defined in <unistd.h>
  ({_POSIX_SAVED_IDS} support) are required, does an implementation
  that possesses the constraint such that:
       The process's real UID, effective UID, and
       saved-set-UID are the same for every process of a
       login session and cannot be changed by POSIX.1
       function calls.
  conform.

  In the rationale for this interpretation, please address the question.
      "When a profile of the POSIX.1 standard requires feature 'A', does
      this implicitly specify the requirement of all other features
      needed to support the required feature 'A'?"  (In other words,
      which takes precedence, the specification of feature 'A' or the
      failure to specify one of the other features needed to support
      feature 'A'?)


WG15 response for ISO/IEC 9945-1:1990 (IEEE Std 1003.1-1990)
--------------------------------------------------

WG15 response for 9945-1:1990 Question 1.

An implementation where the real UID, effective UID, and saved set-user-ID 
of the process are constrained to be the same for
every process of a login session and cannot be changed by POSIX.1
function calls does conform to ISO/IEC 9945-1:1990 (ISO/IEC 9945-1:1990)
if it meets the rest of the requirements for the standard.

If a process has the same value for its real UID, effective UID,
and saved set-user-ID, it must have the appropriate privilege in
order to use setuid() to change its real and effective user IDs.
The description of appropriate privileges (2.2.2.4) says "There may
be zero or more such means".  A conforming implementation need not
provide a means to associate with a process the appropriate
privilege to change user IDs.

The description of the chmod() function says, in part (5.6.4.2):

    Additional implementation-defined restrictions may cause the
    S_ISUID and S_ISGID bits in 'mode' to be ignored.

This means that a conforming implementation need not provide a
means by which the S_ISUID bit can be set for a file, so the exec
type functions might not be able to change a process's effective
user ID.

There is no requirement in ISO/IEC 9945-1:1990 that would require that an
implementation provide a means to change user IDs other than those
that are explicitly specified in ISO/IEC 9945-1:1990.

Implications for ISO/IEC 13210:1994:

Assertions 13 and 14 of 5.6.1.2, which test the semantics of exec
type functions for files with the S_ISUID and S_ISGID masks set,
should be changed to show that they are subject to the
PCTS_CHMOD_SET_IDS testing constraint (see 1.4.5.1 of ISO/IEC
13210:1994):

    13(PCTS_CHMOD_SET_IDS?A:UNTESTED)

    14(PCTS_CHMOD_SET_IDS?A:UNTESTED)

Until these assertions can be modified, there will be a conflict
between ISO/IEC 9945-1:1990 and ISO/IEC 13210:1994.  Test suite
implementors and test suite users will have to make the choice
whether to test for conformance to 9945-1:1990 or to 13210:1994.


Background information on impact on 13210:1994:

The "constraint":
        The process's real UID, effective UID, and
        saved-set-UID are the same for every process of a
        login session and cannot be changed by POSIX.1
        function calls.
was unknown, when ISO/IEC 13210:1994 was produced and balloted.  I also
assume this was unknown to ISO/IEC 9945-1:1990.  This "constraint"
requires additional changes to 13210 than those listed above to
adequately specify the allowed behavior.

Since this feature requires the IDs to be the same for every process of
a login session, they cannot change.  Therefore, changes are also
required for for setuid() and setgid() in POSIX.1 and POSIX.3.1.



WG15 response for 9945-1:1990 Question 2

ISO/IEC 9945-1:1990 does not define any semantics for
{_POSIX_SAVED_IDS} that can be detected by an application running
on an implementation on which each process's real UID, effective
UID, and saved set-user-ID are the same and cannot be changed, as
long as the implementation meets all of the requirements of the
standard.

On such an implementation there is no way that a conforming
application can tell whether saved set-user-IDS are implemented or
not.  The behavior of a conforming application cannot be affected
by whether (_POSIX_SAVED_IDS} is defined or not. Thus, such an
implementation would be conforming.

The Standard is silent on the issue of whether it is appropriate to
define {_POSIX_SAVED_IDS} on a system on which the user IDs of a
process cannot be changed.  This means that it is unspecified
whether it is appropriate, so it is conforming to set the constant
or not to set it.  The rationale for the definition of
'unspecified' (B.2.2.1, page 198, lines 547-549) expresses the
intent of the 9945-1 working group on issues of this sort:

    There is a natural tendency to infer that if the standard is
    silent, a behavior is prohibited.  That is not the intent.
    Silence is intended to be equivalent to the term `unspecified'.



Rationale for Interpretation:
-----------------------------
It is not the intent of ISO/IEC 9945-1:1990 to create
implementation requirements that go beyond the explicit
specifications in the Standard. In particular, it is not intended
that there be implicit linkages between the various choices that
ISO/IEC 9945-1:1990 leaves open for the implementor, only the
linkages explicitly stated in the Standard.

Profiles are beyond the scope of ISO/IEC 9945-1:1990, and it is
the responsibility of the author of a profile to ensure that the
specifications in the profile are sufficiently precise that they
will have the desired effect in light of the implementation choices
that are allowed by ISO/IEC 9945-1:1990.  The author of a profile
is free to explicitly restrict the implementor's choices in any way
that is compatible with ISO/IEC 9945-1:1990.  The author should
take care to understand the explicit provisions of ISO/IEC
9945-1:1990, and to make explicit any special requirements that are
not spelled out there.

If specific features are needed, the profile should ask for them.
ISO/IEC 9945-1:1990 does not define a hierarchy of prerequisites
that requires that one optional feature be supported because a
related feature is required.

_____________________________________________________________________________