Jan Schaumann <jscha...@netmeister.org> writes: > Hello, > > The manual page for chown(1) notes: > > The ownership of a file may only be altered by a super-user for > obvious security reasons. > > Unless invoked by the super-user, chown clears the set-user-id and > set-group-id bits on a file to prevent accidental or mischievous > creation of set-user-id and set-group-id programs. > > I observe: > > $ ls -l a.out > -rwsr-xr-x 1 root wheel 10468 Sep 18 16:59 a.out > $ sudo chown nobody a.out > $ ls -l a.out > -rwxr-xr-x 1 nobody wheel 10468 Sep 18 16:59 a.out
The relevant standards permit and actually seem to require this behavior: http://pubs.opengroup.org/onlinepubs/9699919799/functions/chown.html http://pubs.opengroup.org/onlinepubs/9699919799/utilities/chown.html So it seems that while chown(2) may clear the bits when the invoking user is root, chown(8) is required to clear them (on regular files). > Two questions: > > (1) If chowning files is only possible by the super-user ("for obvious > security reasons"), then why do we bother explicitly noting that "Unless > invoked by the super-user..." it clears the setuid bits? Isn't the > "Unless" clause redundant if chown(1) cannot succeed without super-user > privs anyway? Arguably this should perhaps be rephrased to be more security-model-neutral anyway.
Description: PGP signature