ian (07/29/82)
It seems to me a mistake to allow users to chown files to somebody
else -- IF you run an open shop and are subject to possible malicious
users. Two reasons:
1) I can chown core files to somebody else and he will
have to pay for them (where disk usage is billed for)
2) I can make a setuid program that does an `rm *',
chown it to joe, and run it in joe's directory.
Bye bye joe's files.
If you run a small, closed shop then it's a nice feature.
Like to see it a system administrator's choice (i.e., a #ifdef somewhere).
Ian Darwin
Torontosjb (07/30/82)
Chown should remove the setuid (and setgid) bits of a file's mode when it is called. Same with chgrp. However, one can say something like this: chown some_powerful_group file chmod 2700 file and then own a file that is setgid to the powerful group (say bin or sys)
eric (07/31/82)
Re: item #2 (doing an setuid rm * after a malicious CHOWN).... i quote from the UNIX manual... chown(2)... "If chown is invoked by any other than the super user, the suid and sgid bits of the file will be cleared".. now if the guy has the root password, i would think you have many other greater problems to worry about