Your message dated Tue, 23 Nov 2010 03:40:16 -0700
with message-id <[email protected]>
and subject line Re: Bug#604625: coreutils: chmod can't unset S_ISUID, S_ISGID
once set on a directory
has caused the Debian Bug report #604625,
regarding coreutils: chmod can't unset S_ISUID, S_ISGID once set on a directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
604625: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604625
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: coreutils
Version: 8.5-1
Severity: normal
After setting S_ISUID and/or S_ISGID on a directory, it is impossible to
remove those special permissions. For example:
rcshe...@miranda:~$ mkdir bug; ls -ld bug
drwxr-xr-x 2 rcsheets rcsheets 4096 2010-11-22 23:30 bug
rcshe...@miranda:~$ chmod -v 7755 bug; ls -ld bug
mode of `bug' changed to 7755 (rwsr-sr-t)
drwsr-sr-t 2 rcsheets rcsheets 4096 2010-11-22 23:30 bug
rcshe...@miranda:~$ chmod -v 0755 bug; ls -ld bug
mode of `bug' changed to 6755 (rwsr-sr-x)
drwsr-sr-x 2 rcsheets rcsheets 4096 2010-11-22 23:30 bug
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages coreutils depends on:
ii libacl1 2.2.49-4 Access control list shared library
ii libattr1 1:2.4.44-2 Extended attribute shared library
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
coreutils recommends no packages.
coreutils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Robert C. Sheets wrote:
> After setting S_ISUID and/or S_ISGID on a directory, it is impossible to
> remove those special permissions. For example:
Thank you for the report. But this is an intentional change in
behavior in coreutils 6.0 2006-08-15. It isn't impossible. You just
need to ask for it explicitly.
> rcshe...@miranda:~$ mkdir bug; ls -ld bug
> drwxr-xr-x 2 rcsheets rcsheets 4096 2010-11-22 23:30 bug
> rcshe...@miranda:~$ chmod -v 7755 bug; ls -ld bug
> mode of `bug' changed to 7755 (rwsr-sr-t)
> drwsr-sr-t 2 rcsheets rcsheets 4096 2010-11-22 23:30 bug
> rcshe...@miranda:~$ chmod -v 0755 bug; ls -ld bug
> mode of `bug' changed to 6755 (rwsr-sr-x)
> drwsr-sr-x 2 rcsheets rcsheets 4096 2010-11-22 23:30 bug
The man page for chmod says:
chmod preserves a directory's set-user-ID and set-group-ID bits unless
you
explicitly specify otherwise. You can set or clear the bits with
symbolic
modes like u+s and g-s, and you can set (but not clear) the bits with
a
numeric mode.
The info documentation is quite extensive:
$ info coreutils 'Directory Setuid and Setgid'
27.4 Directories and the Set-User-ID and Set-Group-ID Bits
==========================================================
On most systems, if a directory's set-group-ID bit is set, newly
created subfiles inherit the same group as the directory, and newly
created subdirectories inherit the set-group-ID bit of the parent
directory. On a few systems, a directory's set-user-ID bit has a
similar effect on the ownership of new subfiles and the set-user-ID
bits of new subdirectories. These mechanisms let users share files
more easily, by lessening the need to use `chmod' or `chown' to share
new files.
These convenience mechanisms rely on the set-user-ID and
set-group-ID
bits of directories. If commands like `chmod' and `mkdir' routinely
cleared these bits on directories, the mechanisms would be less
convenient and it would be harder to share files. Therefore, a
command
like `chmod' does not affect the set-user-ID or set-group-ID bits of a
directory unless the user specifically mentions them in a symbolic
mode, or sets them in a numeric mode. For example, on systems that
support set-group-ID inheritance:
# These commands leave the set-user-ID and
# set-group-ID bits of the subdirectories alone,
# so that they retain their default values.
mkdir A B C
chmod 755 A
chmod 0755 B
chmod u=rwx,go=rx C
mkdir -m 755 D
mkdir -m 0755 E
mkdir -m u=rwx,go=rx F
If you want to try to set these bits, you must mention them
explicitly in the symbolic or numeric modes, e.g.:
# These commands try to set the set-user-ID
# and set-group-ID bits of the subdirectories.
mkdir G H
chmod 6755 G
chmod u=rwx,go=rx,a+s H
mkdir -m 6755 I
mkdir -m u=rwx,go=rx,a+s J
If you want to try to clear these bits, you must mention them
explicitly in a symbolic mode, e.g.:
# This command tries to clear the set-user-ID
# and set-group-ID bits of the directory D.
chmod a-s D
This behavior is a GNU extension. Portable scripts should not rely
on requests to set or clear these bits on directories, as POSIX allows
implementations to ignore these requests.
See /usr/share/doc/coreutils/NEWS.gz for this information noting the
change in behavior:
* Major changes in release 6.0 (2006-08-15) [unstable]
** Changes in behavior
chmod, install, and mkdir now preserve a directory's set-user-ID and
set-group-ID bits unless you explicitly request otherwise. E.g.,
`chmod 755 DIR' and `chmod u=rwx,go=rx DIR' now preserve DIR's
set-user-ID and set-group-ID bits instead of clearing them, and
similarly for `mkdir -m 755 DIR' and `mkdir -m u=rwx,go=rx DIR'. To
clear the bits, mention them explicitly in a symbolic mode, e.g.,
`mkdir -m u=rwx,go=rx,-s DIR'. To set them, mention them explicitly
in either a symbolic or a numeric mode, e.g., `mkdir -m 2755 DIR',
`mkdir -m u=rwx,go=rx,g+s' DIR. This change is for convenience on
systems where these bits inherit from parents. Unfortunately other
operating systems are not consistent here, and portable scripts
cannot assume the bits are set, cleared, or preserved, even when the
bits are explicitly mentioned. For example, OpenBSD 3.9 `mkdir -m
777 D' preserves D's setgid bit but `chmod 777 D' clears it.
Conversely, Solaris 10 `mkdir -m 777 D', `mkdir -m g-s D', and
`chmod 0777 D' all preserve D's setgid bit, and you must use
something like `chmod g-s D' to clear it.
You may find this upstream discussion of the change useful. Note that
I opposed this change but was outvoted.
http://lists.gnu.org/archive/html/bug-coreutils/2006-07/msg00124.html
I do however believe that improving the environment to better support
set-id directories is a good thing.
Bob
--- End Message ---
