UNIX file setuid sucurity hole?
heiby at mcdchg.UUCP
heiby at mcdchg.UUCP
Sat Mar 14 06:51:18 AEST 1987
In article <695 at aw.sei.cmu.edu.sei.cmu.edu> pdb at sei.cmu.edu.UUCP (Pat Barron) writes:
>
>Of course, if you are running on a system which does allow random users to
>use chown (I've never heard of such a beastie, but just for the sake of
>argument...), I'd have have chown clear the 6000 bits of a file's protection
>as part of the chown process (and, of course, you couldn't reset them, since
>you can't chmod a file you don't own....)
I've heard of "such a beastie". It's called System V, and yes, it does
clear the 6000 bits of the permissions.
Quoting now from the "System V Interface Definition", Issue 2, Volume II,
page 138:
The command "chown" changes the owner of the "files" to "owner".
The owner may be either a decimal user ID or a login name found
in the password file.
The command "chgrp" changes the group ID of the "files" to "group".
The group may be either a decimal group ID or a group name found in
the group file.
If either command is invoked by other than the super-user, the
set-user-ID and set-group-ID bits of the file mode will be cleared.
This follows implicitly from the description of the "chown(BA_OS)" call,
described in Volume I on page 65.
Yes, System V and 4bsd have a different opinion of what should be done
with chown by a non-super-user. No, I don't want to get into a religious
argument. Yes, it will have to be worked out in the efforts to merge
the two implementations. No, I don't know what they're going to do.
BTW, this is also stated in almost identical language in the System V
User's Reference. RTFM!
--
Ron Heiby, mcdchg!heiby Moderator: mod.newprod & mod.os.unix
Motorola Microcomputer Division (MCD), Schaumburg, IL
"Save your energy. Save yourselves. Avoid the planet 'cuae2' at all costs!"
More information about the Comp.unix.wizards
mailing list