Things You Don’t Know About User IDs That Will Destroy You

This blog post shows an interesting difference between the Perl community and the Ruby community. The Ruby community lives to write long blog posts about why you are writing code wrong. The Perl community just makes a library everyone can use to avoid getting things wrong in the first place.<p>(<a href="http://search.cpan.org/~tlbdk/Privileges-Drop-1.00/lib/Privileges/Drop.pm" rel="nofollow">http://search.cpan.org/~tlbdk/Privileges-Drop-1.00/lib/Privi...</a>)

Another way to look at this: if you're typing "setreuid" into your code, you're doing it wrong. Most networked Ruby programs don't need to run with superuser creds in the first place. Factor the need out of your code.<p>The threat model in this post is a bit dated, too. The EUID is insecure if (paraphrase) "you can execute arbitrary code in the process, because you could just execute setuid()". That's true, but it neglects the fact that if I can run arbitrary code in your process, you're fucked anyways:<p>* Localhost nobody-&#62;root is a speed bump on most Linux deployments.<p>* If your app works as "nobody", so does an attacker with "nobody" creds.<p>* "Nobody" has network access, can talk directly to your database, and to every insecure box in your data center.

Is the complexity of the *nix IDs completely warranted or can it be mostly attributed to historical precedents? Would there be a way to significantly simplify it without really reducing flexibility (I'm not necessarily looking for a backwards-compatible way)?