navarra@casbah.acns.nwu.edu (John Navarra) (03/10/91)
I am running SunOS and I was wondering about the following: ls -lasd /somedir on my machine: 20 drwxrwsrwt 2 daemon staff 9728 Mar 9 12:37 /some dir Now you see that this dir has its sgid bit on which means (if I remember correctly) that when you make a file in this dir, it is given the same guid. Let's see: vi somefile ls -las | grep somefile: 2 -rw------- 1 navarra staff 2 Mar 9 12:41 somefile id: groups=20(users) I am not a member of staff but I wanted to see if I could do the following: cp /bin/sh /somedir/sh chmod g+s /sh ls -las | grep sh 224 -rwx--x--x 1 navarra staff 106496 Mar 9 13:18 sh AS you see I was not able to set this bit. I was wondering if you actually have to be a member of the group to set its bit? Is this true on all Unix systems? From the Lab of the MaD SCiEntIsT: navarra@casbaha.acns.nwu.edu
jik@athena.mit.edu (Jonathan I. Kamens) (03/11/91)
In article <1991Mar9.212943.1961@casbah.acns.nwu.edu>, navarra@casbah.acns.nwu.edu (John Navarra) writes: |> I am not a member of staff but I wanted to see if I could do the following: |> |> cp /bin/sh /somedir/sh |> chmod g+s /sh |> ls -las | grep sh |> |> 224 -rwx--x--x 1 navarra staff 106496 Mar 9 13:18 sh |> |> AS you see I was not able to set this bit. I was wondering if you actually |> have to be a member of the group to set its bit? Is this true on all Unix |> systems? To allow a user to make a binary setgid to a group of which he is not a member would be a gaping security hole, allowing any user to violate the entire group security mechanism. It should be clear why this is so; if I'm not a member of a group but I can make a program setgid to that group, then I can write a program to do anything I want that requires that group's access rights, and then make it setgid to that group and run it. So yes, you actually have to be a member of a group to make something setgid to that group. By the way, why the "na" distribution? -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710