chown removes setuid bit: bug or feature?

by

Steps to reproduce:

<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f89f9d8a95998ab890978b8c">[email protected]</a>:~$ cd /tmp/
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bcdbd9ced1ddcefcd4d3cfc8">[email protected]</a>:/tmp$ touch test && chmod u+s test && ls -la test
-rwSr--r-- 1 germar germar 0 Nov  2 20:11 test
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="93f4f6e1fef2e1d3fbfce0e7">[email protected]</a>:/tmp$ chown germar:germar test && ls -la test
-rw-r--r-- 1 germar germar 0 Nov  2 20:11 test

Tested with Debian squeeze and Ubuntu 12.04

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Not a bug according to chown documentation:

$ info coreutils 'chown invocation'

   The `chown' command sometimes clears the set-user-ID or set-group-ID
permission bits.  This behavior depends on the policy and functionality
of the underlying `chown' system call, which may make system-dependent
file mode modifications outside the control of the `chown' command.
For example, the `chown' command might not affect those bits when
invoked by a user with appropriate privileges, or when the bits signify
some function other than executable permission (e.g., mandatory
locking).  When in doubt, check the underlying system behavior.

Method 2

This is by design, and it’s standard behavior. Quoting the POSIX standard:

Unless chown is invoked by a process with appropriate privileges, the set-user-ID and set-group-ID bits of a regular file shall be cleared upon successful completion; the set-user-ID and set-group-ID bits of other file types may be cleared.

(s is setuid (or setgid in the group column), not sticky, by the way.)

This behavior follows that of the underlying system call (except that on some systems, the setxid bits are only cleared for executable files).

The reason for removing the setuid bit is that changing the owner also changes which user will be the process’s effective user ID. In particular, on systems where a user can give away a file, cp /bin/sh foo; chmod u+s foo; chown joe foo would create a setuid executable belonging to joe, a giant security hole.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x