UNIX file setuid sucurity hole?

heiby at mcdchg.UUCP heiby at mcdchg.UUCP
Sat Mar 14 06:51:18 AEST 1987


In article <695 at aw.sei.cmu.edu.sei.cmu.edu> pdb at sei.cmu.edu.UUCP (Pat Barron) writes:
>
>Of course, if you are running on a system which does allow random users to
>use chown (I've never heard of such a beastie, but just for the sake of
>argument...), I'd have have chown clear the 6000 bits of a file's protection
>as part of the chown process (and, of course, you couldn't reset them, since
>you can't chmod a file you don't own....)

I've heard of "such a beastie".  It's called System V, and yes, it does
clear the 6000 bits of the permissions.

Quoting now from the "System V Interface Definition", Issue 2, Volume II,
page 138:
	The command "chown" changes the owner of the "files" to "owner".
	The owner may be either a decimal user ID or a login name found
	in the password file.

	The command "chgrp" changes the group ID of the "files" to "group".
	The group may be either a decimal group ID or a group name found in
	the group file.

	If either command is invoked by other than the super-user, the
	set-user-ID and set-group-ID bits of the file mode will be cleared.

This follows implicitly from the description of the "chown(BA_OS)" call,
described in Volume I on page 65.

Yes, System V and 4bsd have a different opinion of what should be done
with chown by a non-super-user.  No, I don't want to get into a religious
argument.  Yes, it will have to be worked out in the efforts to merge
the two implementations.  No, I don't know what they're going to do.

BTW, this is also stated in almost identical language in the System V
User's Reference.  RTFM!
-- 
Ron Heiby, mcdchg!heiby		Moderator: mod.newprod & mod.os.unix
Motorola Microcomputer Division (MCD), Schaumburg, IL
"Save your energy.  Save yourselves.  Avoid the planet 'cuae2' at all costs!"



More information about the Comp.unix.questions mailing list