rstevens@noao.edu (Rich Stevens) (12/05/90)
BSD-based systems (SunOS and 4.3BSD, for example) specifically state on the chmod(2) man page that a non-superuser process writing to a file automatically clears the SUID and SGID bits. That makes sense. But, in going through the SVID (Third Edition) and the SVR4 manuals, I can't find any reference to this feature. Do the AT&T Unices really not do this ? Rich Stevens (rstevens@noao.edu)
bruner@sp15.csrd.uiuc.edu (John Bruner) (12/06/90)
Clearing the SUID and SGID bits when the file is written is a hack. I recall asking someone at Berkeley about this many years ago. There were problems with the mailer involving the ability to write setuid files. They couldn't fix it in the mailer, so they decided to "fix" it in the kernel. The original implementation cleared the SUID/SGID bits on a write by anyone. The exception for root was made later because so many install scripts, etc. were broken by the change. A better fix would be to clear the bits only if the writer is not the owner or member of the group (e.g., if the file is mode 4775, clear the SUID bit if it is written by someone other than the owner; if 2777, clear the SGID bit if written by someone who doesn't belong to the same group). However, the current behavior protects novice users from themselves -- I've seen new UNIX users try to share accounts by creating mode 4777 programs for each other. I have no idea what POSIX does. -- John Bruner Center for Supercomputing R&D, University of Illinois bruner@csrd.uiuc.edu (217) 244-4476
goudreau@larrybud.rtp.dg.com (Bob Goudreau) (12/06/90)
In article <1990Dec5.135759.12508@noao.edu>, rstevens@noao.edu (Rich Stevens) writes: > > BSD-based systems (SunOS and 4.3BSD, for example) specifically state > on the chmod(2) man page that a non-superuser process writing to a > file automatically clears the SUID and SGID bits. That makes sense. > But, in going through the SVID (Third Edition) and the SVR4 manuals, > I can't find any reference to this feature. Do the AT&T Unices really > not do this ? Yup, it's true. System V has avoided this blemish from BSD. But note that the SVID also mandates that a chown() will result in the set-UID and set-GID bits being cleared (unless the process has "appropriate privileges"). Otherwise, the system would have a gaping security hole: I could create a file, chmod() it to mode 4755, chown() it to root, and voila: I have a setuid root program! ---------------------------------------------------------------------- Bob Goudreau +1 919 248 6231 Data General Corporation goudreau@dg-rtp.dg.com 62 Alexander Drive ...!mcnc!rti!xyzzy!goudreau Research Triangle Park, NC 27709, USA