OT: chown and permissions

Jay R. Ashworth jra at baylink.com
Sat Apr 15 12:39:05 PDT 2006


On Wed, Apr 12, 2006 at 08:28:01PM -0400, Fairlight wrote:
> Oh, now here's a gem.  I got thinking about tar, right?  WORSE:  rsync!  I
> just rsync'd a file that's 4755 fairlite on my linux box to a totally
> different account on Solaris.  It maintained the suid bit.  I can't believe
> that.  Very tempted to submit that as a vulnerability.  That's just wrong
> on so many levels.  There's -no- mechanism for matching users there.

IMHO, rsync should not be able to set the S*ID bits on any file it touches
unless the file is of the same ownership as the user running the
program, or that user is root -- and while I see that this can cause
problems when the two machines are not {under the same administrative
span of control,using the same UID map}, that's an installer
administrative issue; the code should provide a mechanism to be even
more secure -- and perhaps even default to it -- but should also allow
the more relaxed behavior.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra at baylink.com
Designer                          Baylink                             RFC 2100
Ashworth & Associates        The Things I Think                        '87 e24
St Petersburg FL USA      http://baylink.pitas.com             +1 727 647 1274

     A: Because it messes up the order in which people normally read text.
     Q: Why is top-posting such a bad thing? 
     
     A: Top-posting.
     Q: What is the most annoying thing on Usenet and in e-mail?


More information about the Filepro-list mailing list