non-superuser chown(2)s considered harmful

Tom Christiansen tchrist at convex.COM
Sun Dec 9 02:58:55 AEST 1990 

In article <18792 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
>The context of the thread was that chown() messes up the quota mechanism,
>and is therefore evil.  

That's one reason.  I think there are others.  Being able to make an 
arbitrary file belong to another user seems almost as bad as making
an arbitrary file owned by you.  It runs against my intuitive feel
for what the ownership of a file really is.  If I want to know whose
file this is, should I mail every user on the system, or should I 
examine the owner field in the inode?  Some programs rely on the
ownership of a file to make inferences about what is a safe and
reasonable operation vis-a-vis security.  I'm not ready to accept
that programs that do this a "just stupid broken BSD hacks" as the
ATT folks maintain.  It also bother me that I can create files that
I can no longer unlink or even access without superuser assistance.

>The result of making a system call "root-only" is that any application
>which might have a legitimate need to execute that function must be
>set-uid to root in order to perform that now privileged operation.
>For example, if all the unallocated TTY devices were owned by "uucp",
>all the applications which deal with TTY devices would only have to
>be set-UID to "uucp".  Unfortunately, if you have an application that
>wants to change the ownership to the user, such as cu, you must now
>make cu set-UID to "root".

Yes, there is that unfortunate consequence.  No one ever said the
all-or-nothing way of doing superuser privileges on UNIX was the optimal
route.  That's why a lot of us have written interfaces to provide limited
superuser access.  See the sudo.c program in Evi Nemeth's sysadmin book,
or read about the op program I describe in the LISA-3 proceedings.

If you could switch a file's ownership between real and effective uid's,
this wouldn't be a problem.  Since a process can always cp a file, at
which time it will be owned by whichever ID was active at the time, I
don't see why that can't be allowed.

--tom
--
Tom Christiansen		tchrist at convex.com	convex!tchrist
"With a kernel dive, all things are possible, but it sure makes it hard
 to look at yourself in the mirror the next morning."  -me

More information about the Comp.unix.internals mailing list