SemiOT: filePro on FreeBSD chown gotcha

Fairlight fairlite at fairlite.com
Tue Jun 22 09:57:02 PDT 2004 

Is it just me, or did Jay Ashworth say:
> On Tue, Jun 22, 2004 at 12:04:13PM -0400, Walter Vaughan wrote:
> > <quote>
> > The ownership of a file may only be altered by a super-user for obvious
> > security reasons.
> > </quote>
> 
> Yeah, right.
> 
> It's for "university students can't avoid file quotas" reasons.

Agreed.  Whether someone considers quotas part of the security subsystem is
a questionable point.  Some might consider workarounds to exceed quotas
"unauthorised use".


> Nope; you're screwed.  BSD-ish systems, which include Linux, but not
> SCO, constrain chown(2) in that fashion; Linux-ABI commonly correctly
> emulates the SCO behaviour, although I'm having a showstopper problem
> with that on SUSE 9 right now: a kernel upgrade apparently broke *that
> part* of the ABI; older 9.0 installs work ok.

Hate to tell you, but Solaris 7 and 8 both constrain chown() as well.  By
default anyway.  But the following may help anyone on Solaris, and may also
give everyone else a basis to scour their own platforms for an equivalent:

     The  operating  system  provides  a  configuration   option,
     {_POSIX_CHOWN_RESTRICTED}, to restrict ownership changes for
     the   chown(),  lchown(),  and   fchown()  functions.   When
     {_POSIX_CHOWN_RESTRICTED}  is  not  in  effect,  either  the
     effective user ID of the process must match the owner of the
     file  or  the  process  must be the super-user to change the
     ownership of a file. When  {_POSIX_CHOWN_RESTRICTED}  is  in
     effect  (the  default  behavior), the chown(), lchown(), and
     fchown() functions, for users other than super-user, prevent
     the  owner  of  the  file from changing the owner ID  of the
     file and restrict the change of the group of the file to the
     list  of  supplementary group IDs. To set this configuration
     option, include the following line in /etc/system:

          set rstchown = 1

Looks like the behaviour is part of one of the POSIX standards.  It doesn't
surprise me that linux would honour it, in this event.  But it -may- be
configurable, as well.  I highly doubt it would be configurable in the same
way.  It might need a recompile of libc itself.  The reason I say this is a
cursory glance at the RH 7.3 chown(2) man page:

       The chown call conforms to SVr4, SVID, POSIX, X/OPEN.  The
       4.4BSD version can only be used by the superuser (that is,
       ordinary  users  cannot  give away files).  SVr4 documents
       EINVAL, EINTR,  ENOLINK  and  EMULTIHOP  returns,  but  no
       ENOMEM.   POSIX.1  does not document ENOMEM or ELOOP error
       conditions.

This implies to me that it's configurable if you compile it non-BSD-style.

mark->
-- 
Bring the web-enabling power of OneGate to -your- filePro applications today!

Try the live filePro-based, OneGate-enabled demo at the following URL:
               http://www2.onnik.com/~fairlite/flfssindex.html

More information about the Filepro-list mailing list