- It is now possible to skip the setuid step altogether by setting both
UID and GID to the special value -1.
- The Java code now verifies that the values are in range for an
unsigned 16-bit ID.
- The C code now verifies that the cast from jint to uid_t/gid_t does
not overflow.
- The C code now skips setuid() or setgid() if the real and effective ID
are already the desired ID.
The 16-bit limit is somewhat arbitrary. Some old UNIX systems, such as
PWB/UNIX, supported only 8-bit IDs (see for example
/usr/man/man2/getuid.2 in Henry Spencer’s tarball); Wikipedia claims
that some other UNIX systems used 15-bit values, but does not specify
which systems; Linux originally supported 16-bit IDs but then added
support for 32-bit IDs with new syscalls in Linux 2.4. On Debian
systems, the nobody user (default setuid target) is 65534, so we need to
allow at least 16-bit IDs, otherwise the default value is invalid.