>Number:         4662
>Category:       kern
>Synopsis:       chown(2) removes SUID/SGID bits
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Dec  9 19:50:01 1997
>Last-Modified:
>Originator:     Rob Windsor
>Organization:
>Release:        NetBSD 1.3_BETA 971209
>Environment:
	
System: NetBSD menace 1.3_BETA NetBSD 1.3_BETA (MENACE) #20: Tue Dec 9 14:49:17 CST 1997 windsor@menace:/usr/src/sys/arch/sparc/compile/MENACE sparc


>Description:
	chown(2) automatically strips suid/sgid bits.  It doesn't need to,
	even to follow the POSIX specifications.  This is "new behavior"
	that is not consistent with other versions of unix (caveat: linux).

>How-To-Repeat:

(as root, of course)
(r) grind# touch foo ; chown root.wheel foo ; chmod a+x,u+s foo ; ls -l foo
-rwsr-xr-x   1 root     wheel           0 Dec  9 20:50 foo
(r) grind# chown bin.bin foo ; ls -lg foo
-rwxr-xr-x   1 bin      bin             0 Dec  9 20:50 foo
	
>Fix:

*** src/sys/kern/vfs_syscalls.c.orig    Tue Dec  9 13:29:52 1997
--- src/sys/kern/vfs_syscalls.c Tue Dec  9 15:12:44 1997
***************
*** 1661,1669 ****
--- 1661,1671 ----
        if ((error = VOP_GETATTR(vp, &vattr, p->p_ucred, p)) != 0)
                goto out;
  
+ #if 0 /* XXX yuk, this smells like linux here. */
        /* Clear (S_ISUID | S_ISGID) bits: alter va_mode only if necessary. */
        if (vattr.va_mode & (S_ISUID | S_ISGID))
                newmode = vattr.va_mode & ~(S_ISUID | S_ISGID);
+ #endif
  
        VATTR_NULL(&vattr);
        vattr.va_uid = uid;

>Audit-Trail:
>Unformatted: