security review and patches for libpurple

[Dan Auerbach]

On 08/15/2011 11:24 PM, Mark Doliner wrote:
> On Thu, Aug 11, 2011 at 8:08 PM, Ethan Blanton<elb at pidgin.im>  wrote:
>> Dan Auerbach spake unto us the following wisdom:
>>>> * bonjour-geteuid.diff
>>>>
>>>>    I think this is just wrong.  It looks to me like we *want* euid, not
>>>>    uid.  I can't think of any reason to setuid Pidgin in the first
>>>>    place, but if we do, it seems like the euid is probably who you want
>>>>    to be running Pidgin.  I don't know.  It's not clear to me how this
>>>>    should be changed either way.
>>> I believe this patch replaces uid with euid.
>> It does.  This just goes to show you how nonsensical the difference is
>> between getuid and geteuid in this case.  When I rejected the patch, I
>> was convinced that getuid was correct and geteuid was wrong, and all I
>> remembered was that the patch was wrong.  This time I thought it did
>> the opposite, and still convinced myself the patch was wrong.
>>
>> I think the bottom line is that setuid Pidgin is just broken, so it
>> isn't clear whether you'd want uid or euid.  :-) I guess I have no
>> feelings about this patch's correctness either way, because I think
>> the difference is moot.
> I think uid is better.  The function is just trying to get some form
> of friendly name to use for yourself on your local network.  I can't
> imagine why someone would setuid their Pidgin binary, but if they do I
> think it makes more sense to use the name of the user calling the
> binary and NOT the name of the owner of the binary.
>
> Unless there is some reason to use the euid that no one has mentioned yet?
>
> --Mark
>
I agree this code to setuid is strange. I think the idea behind using 
euid is that it enforces a slightly more accurate name, but since it is 
just intended to be a friendly name, I don't feel too strongly about 
this. Chris P might have additional thoughts.