Jan Schaumann <jscha...@netmeister.org> writes:

> Hello,
>
> The manual page for chown(1) notes:
>
>     The ownership of a file may only be altered by a super-user for
>     obvious security reasons.
>
>     Unless invoked by the super-user, chown clears the set-user-id and
>     set-group-id bits on a file to prevent accidental or mischievous
>     creation of set-user-id and set-group-id programs.
>
> I observe:
>
> $ ls -l a.out
> -rwsr-xr-x  1 root  wheel  10468 Sep 18 16:59 a.out
> $ sudo chown nobody a.out
> $ ls -l a.out            
> -rwxr-xr-x  1 nobody  wheel  10468 Sep 18 16:59 a.out

The relevant standards permit and actually seem to require this
behavior:

http://pubs.opengroup.org/onlinepubs/9699919799/functions/chown.html
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/chown.html

So it seems that while chown(2) may clear the bits when the invoking
user is root, chown(8) is required to clear them (on regular files).


> Two questions:
>
> (1) If chowning files is only possible by the super-user ("for obvious
> security reasons"), then why do we bother explicitly noting that "Unless
> invoked by the super-user..." it clears the setuid bits?  Isn't the
> "Unless" clause redundant if chown(1) cannot succeed without super-user
> privs anyway?

Arguably this should perhaps be rephrased to be more
security-model-neutral anyway.

Attachment: signature.asc
Description: PGP signature

Reply via email to