Swapping userids

[utzoo!decvax!duke!unc!smb]

The simplest scheme I've heard of is the "schizo" system call, which
swaps the real and effective uids and gids.  That allows a process to
resume the original permissions, open a file, and then regain its
privileged status.

A separate question is what to do when a setuid program wants to run
another setuid program, especially mkdir.  4BSD (and I think some other
flavors of UNIX) allow setuid(geteuid()); that permits a child process to
assume the appropriate permissions before execing to the second setuid
program.  A typical case would be Version B netnews needing to create
a subdirectory of a protected directory owned by 'news'.  An idea I've
heard, and which doesn't have any obvious flaws (to me, at least -- but
my mind isn't as twisty as some folks'), is to set the real uid to the
old effective uid when execing a setuid program; in effect, that permits
automatic and unlimited stacking of permissions.  But that doesn't answer
Lauren's original question.