netbsd-users: Re: Group IDs of directories (was Re: Sticky bit?)

Subject: Re: Group IDs of directories (was Re: Sticky bit?)
To: None <netbsd-users@NetBSD.ORG>
From: Benjamin Lorenz <benni@phil.uni-sb.de>
List: netbsd-users
Date: 09/10/1997 15:19:34

In article <Pine.NEB.3.96.970910084137.13528D-100000@like.duh.org> you write:

>This is a weirdness that's partly 4.4BSD's fault.  New files in directories
>are created with the group-id of that directory, which is IMHO a bad idea.
>It should always start out with the user and primary group ID of the
>creator.  Or at least, the primary group ID of the creator if the creator is
>not in the group ID of the directory. 
>
>Now, I've seen systems where directories utilised the set-gid bit to "cause" 
>the 4.4BSD behaviour of setting the group-id.  Can we implement something
>like this to keep it from being default?  It seems to me that changing the
>group ID, if the file's creator is not in that group, is a security problem
>(Think if the user's umask is 002), though that may be the intent(?).

To clarify my problems, here's a short session snapshot:

lorenz@schlunz<~>% uname -a
NetBSD schlunz 1.2G NetBSD 1.2G (BENNI) #1: Wed Aug  6 01:30:08 CEST 1997 \
 root@schlunz:/usr/src/sys/arch/atari/compile/BENNI atari
lorenz@schlunz<~>% ll -d /tmp
drwxrwxrwt  3 root  wheel  512 Sep 10 15:11 /tmp
lorenz@schlunz<~>% id
uid=658(lorenz) gid=630(ps-s) groups=630(ps-s), 640(ps-soft), 670(ps-db)

... note that I am not in the group `wheel'.

lorenz@schlunz<~>% ll test
-rw-r--r--  1 lorenz  ps-s  0 Sep 10 15:04 test
lorenz@schlunz<~>% cp test /tmp/test1 ; mv test /tmp/test2
lorenz@schlunz<~>% ll /tmp/test*
-rw-r--r--  1 lorenz  wheel  0 Sep 10 15:13 /tmp/test1
-rw-r--r--  1 lorenz  ps-s   0 Sep 10 15:04 /tmp/test2

... whoops?

lorenz@schlunz<~>% df . /tmp
Filesystem            1K-blocks     Used    Avail Capacity  Mounted on
fs-home:/home/ps-home   2062206  1628271   330825    83%    /home/ps-home
/dev/sd3a                 94198    12826    76662    14%    /
lorenz@schlunz<~>% mv /tmp/test1 ~
mv: /home/ps-home/lorenz/test1: set owner/group: Operation not permitted

... problem!

lorenz@schlunz<~>% mv /tmp/test2 ~

... this is ok...

So, the problem only occurs when doing a `cp' to /tmp, not when doing a
`mv'. This is interesting, as in both cases the file has to be created
(see df output, ~ and /tmp are on different filesystems).

Benni
-- 
      /'^'\
     ( o o )          Benjamin Lorenz, 66111 Saarbrücken, 0681 / 372253
-oOOO--(_)--OOOo----  benni@{phil,ps}.uni-sb.de, 0681 / 302-{2239,5633}