Jan Schaumann <jschauma%netmeister.org@localhost> writes:
> Hello,
>
> The manual page for chown(1) notes:
>
> The ownership of a file may only be altered by a super-user for
> obvious security reasons.
>
> Unless invoked by the super-user, chown clears the set-user-id and
> set-group-id bits on a file to prevent accidental or mischievous
> creation of set-user-id and set-group-id programs.
>
> I observe:
>
> $ ls -l a.out
> -rwsr-xr-x 1 root wheel 10468 Sep 18 16:59 a.out
> $ sudo chown nobody a.out
> $ ls -l a.out
> -rwxr-xr-x 1 nobody wheel 10468 Sep 18 16:59 a.out
The relevant standards permit and actually seem to require this
behavior:
http://pubs.opengroup.org/onlinepubs/9699919799/functions/chown.html
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/chown.html
So it seems that while chown(2) may clear the bits when the invoking
user is root, chown(8) is required to clear them (on regular files).
> Two questions:
>
> (1) If chowning files is only possible by the super-user ("for obvious
> security reasons"), then why do we bother explicitly noting that "Unless
> invoked by the super-user..." it clears the setuid bits? Isn't the
> "Unless" clause redundant if chown(1) cannot succeed without super-user
> privs anyway?
Arguably this should perhaps be rephrased to be more
security-model-neutral anyway.
Attachment:
signature.asc
Description: PGP signature