UNIX file setuid sucurity hole?

[terryl at tekcrl.UUCP]

In article <2168 at ncoast.UUCP> robertd at ncoast.UUCP (Robert DeMarco) writes:
+
+	
+	It just accured to me that, 
+thanks to the chown command and "setuid
+to owner when executing this C program"
+that no ones file is realy safe.
+
+	I mean, couldn't someone who
+knows C alot write a program that is
+equivlent to "cat" that would display
+another users secret file. Then simply
+chmod the file to set to the owners ID
+apon execution? Then chown it to the
+owner. Then execute the command. Your
+uid will be set to the owner , who owns
+the file you wish to see.
+
+
+	For instance, lets say there
+is a file called "foo", and John Smith
+owns the file. Now lets say that Peter
+Jones wants to see the file but can't,
+because he's not allowed.
+
+	Now Peter can write a program
+called "xyz" that displays John's file.
+How ever, Peter still can't access it.
+Now, lets say,that Peter sets the 
+permision on his program so that any
+one can access it, and the uid will be
+set to owner(Peter). Now Peter then can
+"chown" the command to John. The file
+now belongs to John. Then Peter 
+executes the file. Since the file
+permisions says to change id to owner,
+Peters Id will be changed to John's id
+for the duration of the program. Now
+Peter will BE ALLOWED to read Johns 
+file.
+
+	How can you protect against
+this?


     Well, for one thing, some flavors of UNIX do NOT allow normal mortal users
(i.e. people who are not root) to do a chown of a file. That's why chown is set-
user-id to root on these systems. But, there are some flavors that DO allow nor-
mal mortal users to do a chown of a file. Of all of the systems I've seen that
allow this, when the user does a chown of a file, the set-user-id bit is RESET,
i.e. it is no longer a set-user-id file. I've even seen some systems that always
reset the set-user-id bit, even if it is root that did the chown. Thus your
security hole is non-existant.


			Terry Laskodi
			     of
			Tektronix