non-superuser chown(2)s considered harmful

[Anthony DeBoer]

Awhile back in this thread we were discussing what to do about files in users'
directories that they didn't own; I advocated rm'ing them during nightly
cleanup and got lightly flamed and somebody else said it would be better to
chown them to the user.  Over the weekend something filtered up from the
subconscious:  Suppose a user does: "ln /usr/bin/vi /usr/myself" one evening.
The nightly cleanup sees a file in his account that belongs to "bin" and
chowns it to him.  Since the two links point to only one file, he now owns
/usr/bin/vi!  The following morning he replaces it with a trojan that checks
if root is vi'ing a file and quickly does dirty work if so, and in either case
exec's a copy of the real vi to make the change invisible to the invoker.  The
solution could be to alter the daemon to make the user a copy of the offending
file and remove the original, but a simple chown is a serious security hole.
-- 
Anthony DeBoer - NAUI #Z8800                           adeboer at gjetor.geac.com 
Programmer, Geac J&E Systems Ltd.             uunet!jtsv16!geac!gjetor!adeboer
Toronto, Ontario, Canada             #include <std.random.opinions.disclaimer>