OT: chown and permissions

Fairlight fairlite at fairlite.com
Sat Apr 15 15:03:17 PDT 2006


Only Jay Ashworth would say something like:
> On Wed, Apr 12, 2006 at 08:28:01PM -0400, Fairlight wrote:
> > Oh, now here's a gem.  I got thinking about tar, right?  WORSE:  rsync!  I
> > just rsync'd a file that's 4755 fairlite on my linux box to a totally
> > different account on Solaris.  It maintained the suid bit.  I can't believe
> > that.  Very tempted to submit that as a vulnerability.  That's just wrong
> > on so many levels.  There's -no- mechanism for matching users there.
> 
> IMHO, rsync should not be able to set the S*ID bits on any file it touches
> unless the file is of the same ownership as the user running the
> program, or that user is root -- and while I see that this can cause
> problems when the two machines are not {under the same administrative
> span of control,using the same UID map}, that's an installer
> administrative issue; the code should provide a mechanism to be even
> more secure -- and perhaps even default to it -- but should also allow
> the more relaxed behavior.

Agreed.  I'd opt for default secure, optional relaxed.  Think it's worth a
letter to the maintainer(s)?  You wanna do it, or should I?

mark->


More information about the Filepro-list mailing list