setperms on linux
Jean-Pierre A. Radley
appl at jpr.com
Wed Apr 12 20:11:03 PDT 2006
Mark Luljak propounded (on Wed, Apr 12, 2006 at 08:28:01PM -0400):
| It's not -all- systems on which it's been changed. SCO 5.6 lets you chown
| away from yourself. I just did it on someone's system. It's only on the
| sane ones. :) I've verified that Linux (as old as Cobalt 6.4 [RH 6.2 era])
| and Solaris (5|2).[78] both act in the newer secure fashion. I don't know
| any version of OpenServer that acts properly in restricting chown -by
| default-. Maybe UnixWare does, but I don't have access to one of those
| anymore. I do have access to a 5.0.6 system that won't let me chown away
| from myself, but it also implements quotas. I would expect the change is
| quite possibly (maybe even probably) bound to that system being enabled.
| On Linux, you're barred from a chown away from yourself even if quotas are
| not enabled. It's probably fixed in Solaris as well.
|
| IOW, SCO meets its usual security standards. *cough* At least it does strip
| the SUID bit in the process on systems in which its inherently allowed, but
| that's not actually enough. Wish I had an IRIX system to check with--I'd
| be willing to bet they haven't addressed it either.
>From the 'man chown' page on SCO OSR 6.0.0:
Use of this utility is governed by the chown kernel privilege.
Restricted chown is required for NIST FIPS 151-1 conformance.
If you have chown kernel privilege, you can change the owner and group
of files that you initially own. If you do not have chown privilege,
you cannot change the ownership of files; you can change their group,
but only if the files are initially owned by you, and the new group is
your effective group ID or is listed in your supplemental group list.
--
JP
==> http://www.frappr.com/cusm <==
More information about the Filepro-list
mailing list