From linux-kernel-owner+willy=40w.ods.org@vger.kernel.org Fri Apr 2 15:24:47 2004 Return-Path: Received: from willy.net1.nerim.net (vax [10.2.1.2]) by alpha.home.local (8.12.4/8.12.1) with ESMTP id i32DOkt3001773 for ; Fri, 2 Apr 2004 15:24:46 +0200 Received: from vger.kernel.org (vger.kernel.org [67.72.78.212]) by willy.net1.nerim.net (8.12.9/8.12.1) with ESMTP id i32DSYCb011544 for ; Fri, 2 Apr 2004 15:28:35 +0200 (CEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S264039AbUDBNZj (ORCPT ); Fri, 2 Apr 2004 08:25:39 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S264042AbUDBNZj (ORCPT ); Fri, 2 Apr 2004 08:25:39 -0500 Received: from sigma.informatik.hu-berlin.de ([141.20.20.51]:39081 "EHLO sigma.informatik.hu-berlin.de") by vger.kernel.org with ESMTP id S264039AbUDBNZh (ORCPT ); Fri, 2 Apr 2004 08:25:37 -0500 Received: from informatik.hu-berlin.de (p62.246.168.195.tisdip.tiscali.de [62.246.168.195]) (authenticated bits=0) by sigma.informatik.hu-berlin.de (8.12.10/8.12.9/INF-2.0-MA-SOLARIS-2.8) with ESMTP id i32DPWAO016219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 2 Apr 2004 15:25:35 +0200 (MEST) Message-ID: <406D69D2.10306@informatik.hu-berlin.de> Date: Fri, 02 Apr 2004 15:25:38 +0200 From: Stefan Nordhausen User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: de, de-at, en-us, en MIME-Version: 1.0 To: linux-kernel@vger.kernel.org Subject: chown() not POSIX compliant in 2.2.* and 2.4.* Content-Type: multipart/mixed; boundary="------------020805050902070502030200" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org Status: RO Content-Length: 2215 Lines: 59 This is a multi-part message in MIME format. --------------020805050902070502030200 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi, I noted that chown will not always take away the SGID bit from nondirectories. Posix says the following about it (taken from [1]): "If the path argument refers to a regular file, the set-user-ID (S_ISUID) and set-group-ID (S_ISGID) bits of the file mode shall be cleared upon successful return from chown(), unless the call is made by process with appropriate privileges [=root], in which case it is implementation defined whether those bits are altered." As far as I can tell the 2.6.* kernel is Posix compliant as it will always remove both SUID and SGID. 2.2.* and 2.4.* will _only_ remove the SGID bit if the file is group executable. This is not Posix compliant and it is also a potential security whole (as in my case). So I suggest the attached patch against 2.4.26rc1. It will make chown always clear the SGID bit, just like 2.6 does. MfG Stefan Nordhausen [1] http://mail-index.netbsd.org/netbsd-bugs/1997/12/10/0003.html -- Not only does god play dice. The dice are loaded. --------------020805050902070502030200 Content-Type: text/plain; name="chown.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="chown.diff" diff -Naur linux-2.4.26rc1/fs/open.c linux-2.4.26rc1_/fs/open.c --- linux-2.4.26rc1/fs/open.c 2004-04-02 14:46:26.000000000 +0200 +++ linux-2.4.26rc1_/fs/open.c 2004-04-02 15:01:21.000000000 +0200 @@ -587,8 +587,10 @@ * 19981026 David C Niemi * * Removed the fsuid check (see the comment above) -- 19990830 SD. + * + * Always remove SGID bit to comply with POSIX. */ - if (((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) + if (((inode->i_mode & S_ISGID) == S_ISGID) && !S_ISDIR(inode->i_mode)) { newattrs.ia_mode &= ~S_ISGID; --------------020805050902070502030200-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/