setperms on linux
Bill Campbell
bill at celestial.com
Thu Apr 13 10:21:37 PDT 2006
On Wed, Apr 12, 2006, Fairlight wrote:
>On Wed, Apr 12, 2006 at 06:53:11PM -0400, after drawing runes in goat's blood,
>Kenneth Brody cast forth these immortal, mystical words:
>> Quoting Brian K. White (Wed, 12 Apr 2006 18:23:31 -0400):
>> [...]
>> > Is it just me or is it just plain inexcusably broken for chown to even
>> > _touch_ the chmod bits??
>> [...]
>
>It's just Brian. (And anyone else not conversant in security.)
>
>> I vaguely remember this from many years ago as a security issue. On
>> some systems, chown is allowed to change an ownership from the current
>> uid to something else. (Though I think chown is now executable only
>> by root, eliminating this problem.) Imagine creating an executable,
>> setting the setuid bit, and then chown root'ing it.
>
>That was indeed a hole. On some systems you could chown files off of
>yourself and onto someone else. This was changed for several reasons:
>
>1) It allowed the above issue with suid.
>
>2) It allowed users to bypass filesystem quotas. You could just create
>a file and chown it onto someone else's account and keep under your quota
>"officially" while technically being well over it.
>
>Ken is right in that chown became root-restricted on many systems.
>However, not all systems were changed.
>
>Actually, I personally think tar should strip SUID bits. Some versions
>do, I believe, but not all. It's pointless (and indeed harmful) unless you
>can guarantee UID portability--which is a joke to anyone not running NFS,
>usually, where you MUST maintain UID continuity--or guarantee that it does
>it by username->uid lookup.
On Linux and FreeBSD systems, one of the mount options is nosuid which
disables any setuid on the mounted file system (and noexec to prevent *ANY*
executables).
...
>Oh, now here's a gem. I got thinking about tar, right? WORSE: rsync! I
>just rsync'd a file that's 4755 fairlite on my linux box to a totally
>different account on Solaris. It maintained the suid bit. I can't believe
>that. Very tempted to submit that as a vulnerability. That's just wrong
>on so many levels. There's -no- mechanism for matching users there.
>
>But hey...Brian might think it's sane.
If one is using rsync for backups, and wants to be able to restore so
things work it's sane (same for tar or other archiving software).
I think that SuSE Linux sets nosuid and noexec in /etc/fstab on any file
systems that are user montable to prevent this type of abuse.
Bill
--
INTERNET: bill at Celestial.COM Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
``If we got one-tenth of what was promised to us in these acceptance
speeches there wouldn't be any inducement to go to heaven.''
Will Rogers
More information about the Filepro-list
mailing list