bug#52481: chown of coreutils may delete the suid of file
21625039 wrote: > [root@fedora ~]# ll test.txt > -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt > > [root@fedora ~]# chown root:root test.txt > [root@fedora ~]# ll test.txt > -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt That is a feature of the Linux kernel, OpenBSD kernel, and NetBSD kernel, and I presume of other kernels too. I know that traditional Unix systems did not. But this is done by the kernel as a security mitigation against some types of attack. For example a user might have a file which is in their own directory tree. It might be executable and setuid. Then through a social engineering attack they coerce root into copying the file or otherwise taking ownership of the directory tree because they are hoping to make use of the now newly chowned root file that is executable. Therefore as a security mitigation implemented by the OS kernel the setuid bit is removed when chown'ing files. If this is truly desired then the file can be chmod'd explicitly after chown'ing the file. This is entirely a kernel behavior and not of chown(1). This isn't specific to chown(1) command line utility at all. For example you can test that the same behavior from the kernel exists when using any programming language. It will have the same behavior. Without Coreutils involved at all. # ll test.txt -rwsr-xr-x 1 rwp rwp 0 Dec 17 17:13 test.txt # perl -e 'chown 0, 0, "test.txt" or die;' # ll test.txt -rwxr-xr-x 1 root root 0 Dec 17 17:13 test.txt Bob
bug#52481: chown of coreutils may delete the suid of file
On Tuesday, December 14, 2021 3:49:37 AM CET 21625039 wrote: > I encountered a problem with chown on my fedora34 as the version of > coreutils is 8.32. > > > > The reproduce process could see the steps blow: > > [root@fedora ~]# ll test.txt > > -rw-r--r--. 1 root root 0 Dec 13 21:13 test.txt > > [root@fedora ~]# chmod 4750 test.txt > > [root@fedora ~]# ll test.txt > > -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt > > [root@fedora ~]# chown root:root test.txt > > [root@fedora ~]# ll test.txt > > -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt I believe this is already documented [1]: "The chown command sometimes clears the set-user-ID or set-group-ID permission bits. This behavior depends on the policy and functionality of the underlying chown system call, which may make system-dependent file mode modifications outside the control of the chown command." Kamil [1] https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html > [root@fedora ~]# rpm -qa coreutils > > coreutils-8.32-19.fc34.x86_64 > > [root@fedora ~]# cat /etc/fedora-release > > Fedora release 34 (Thirty Four) > > > > Looking forward to hearing from you! > > Thanks.
bug#52481: chown of coreutils may delete the suid of file
I encountered a problem with chown on my fedora34 as the version of coreutils is 8.32. The reproduce process could see the steps blow: [root@fedora ~]# ll test.txt -rw-r--r--. 1 root root 0 Dec 13 21:13 test.txt [root@fedora ~]# chmod 4750 test.txt [root@fedora ~]# ll test.txt -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt [root@fedora ~]# chown root:root test.txt [root@fedora ~]# ll test.txt -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt [root@fedora ~]# rpm -qa coreutils coreutils-8.32-19.fc34.x86_64 [root@fedora ~]# cat /etc/fedora-release Fedora release 34 (Thirty Four) Looking forward to hearing from you! Thanks.
