Mailing List Archive

In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
+-----
| On a 2.1pre4 machine:
| root@kite:~>ls -l foo
| -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
| root@kite:~> chown root.root foo; ls -l foo
| -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
+--->8
GAK!!! Security flaw here, methinks. chown should unconditionally clear
setuid and setgid.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering KF8NH
We are Linux. Resistance is an indication that you missed the point.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

> In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
> +-----
> | On a 2.1pre4 machine:
> | root@kite:~>ls -l foo
> | -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
> | root@kite:~> chown root.root foo; ls -l foo
> | -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
> +--->8
>
> GAK!!! Security flaw here, methinks. chown should unconditionally clear
> setuid and setgid.
Except when done by root
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Sat, 9 Jan 1999, Joey Hess wrote:
# On a 2.1pre4 machine:
# root@kite:~>ls -l foo
# -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
# root@kite:~> chown root.root foo; ls -l foo
# -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
#
# On a 2.0.x machine:
# cookie:~# ls -l foo
# -rwsr--r-- 1 root james 0 Jan 10 01:44 foo
# cookie:~# chown root.root foo; ls -l foo
# -rwxr--r-- 1 root root 0 Jan 10 01:44 foo
#
# Why did the file lose it's suid bit before, and not anymore?
Yah. I verify that this is true also. Previously (pre 2.2pre's) chowning
anything would remove all SUID flags. Now, nothing is changed. I had
always thought this was a security feature to prevent someone gaining root
suid access through some symlink trick.
Anyway, it appears that this is the code that changed and made the
difference:
(~linux/fs/open.c)
if ((inode->i_mode & S_ISUID) == S_ISUID &&
!S_ISDIR(inode->i_mode)
&& current->fsuid)
{
newattrs.ia_mode &= ~S_ISUID;
newattrs.ia_valid |= ATTR_MODE;
}
where is used to be:
if (inode->i_mode & S_ISUID) {
newattrs.ia_mode &= ~S_ISUID;
newattrs.ia_valid |= ATTR_MODE;
}
G'day!
-- n i c h o l a s j l e o n
elegance through simplicity*http://mrnick.binary9.net*nicholas@binary9.net
good fortune through truth*roaming:njllm@email.msn.com*ICQ#2170994*U+($++)
TRA#6805*not all questions have answers*pseudogeek:P+++($++)L+($++)W=lm@b9
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

In article <cistron.199901110125.UAA24076@rushlight.kf8nh.apk.net>,
Brandon S. Allbery KF8NH <allbery@kf8nh.apk.net> wrote:
>In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
>+-----
>| On a 2.1pre4 machine:
>| root@kite:~>ls -l foo
>| -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
>| root@kite:~> chown root.root foo; ls -l foo
>| -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
>+--->8
>
>GAK!!! Security flaw here, methinks. chown should unconditionally clear
>setuid and setgid.
Not unconditionally. It should only happen on regular files and not
directories. Now 2.0.x and 2.1.x cleared the setuid/setgid bit on
directories too, and that got fixed. However it looks like it
got fixed a bit too much :/
Mike.
--
Indifference will certainly be the downfall of mankind, but who cares?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

From: "Brandon S. Allbery KF8NH" <allbery@kf8nh.apk.net>
In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
+-----
| On a 2.1pre4 machine:
| root@kite:~>ls -l foo
| -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
| root@kite:~> chown root.root foo; ls -l foo
| -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
+--->8
GAK!!! Security flaw here, methinks. chown should unconditionally clear
setuid and setgid.
Well, there is the system call and the utility.
About the system call:
POSIX.1 (5.6.5.2) paraphrased: suid and sgid bits shall be cleared
unless the chown was invoked by root, in which case it is
implementation dependent whether these bits are cleared or not.
(Single Unix Spec says the same.)
About the utility: it should do what the call does.
So, yes you may be right about the security. Both behaviours are allowed
by the standards.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
We are Linux. Resistance is an indication that you missed the point.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

In message <m0zzjRk-0007U2C@the-village.bc.nu>, Alan Cox writes:
+-----
| > In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
| > | On a 2.1pre4 machine:
| > | root@kite:~>ls -l foo
| > | -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
| > | root@kite:~> chown root.root foo; ls -l foo
| > | -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
| >
| > GAK!!! Security flaw here, methinks. chown should unconditionally clear
| > setuid and setgid.
|
| Except when done by root
+--->8
Especially when done by root, I'd think. Less risk of inadvertently opening
a security hole --- if I want the thing set[ug]id I should have to
explicitly make it so.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering KF8NH
We are Linux. Resistance is an indication that you missed the point.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On 11 Jan 1999, Miquel van Smoorenburg wrote:
> In article <cistron.199901110125.UAA24076@rushlight.kf8nh.apk.net>,
> Brandon S. Allbery KF8NH <allbery@kf8nh.apk.net> wrote:
> >In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
> >+-----
> >| On a 2.1pre4 machine:
> >| root@kite:~>ls -l foo
> >| -rwsrw-r-- 1 root joey 0 Jan 9 17:13 foo*
> >| root@kite:~> chown root.root foo; ls -l foo
> >| -rwsrw-r-- 1 root root 0 Jan 9 17:13 foo*
> >+--->8
> >
> >GAK!!! Security flaw here, methinks. chown should unconditionally clear
> >setuid and setgid.
>
Forgive my stupidity, but under 2.0.x i always considered the setuid loss
on chown a flaw. I, personally, feel it should keep the setuid bit. If
you're chowning something YOU own, setuid'd to you, why take the bit off??
Am I missing something trivial here?
-Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
admin@intergrafix.net Intergrafix Internet Services
"The best way to predict the future, is to invent it."
http://cygnus.ncohafmuta.com http://www.intergrafix.net
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Tue, 12 Jan 1999, Alan Modra wrote:
> On 11 Jan 1999, Miquel van Smoorenburg wrote:
> > In article <cistron.199901110125.UAA24076@rushlight.kf8nh.apk.net>,
> > Brandon S. Allbery KF8NH <allbery@kf8nh.apk.net> wrote:
> > >
> > >GAK!!! Security flaw here, methinks. chown should unconditionally clear
> > >setuid and setgid.
> >
> > Not unconditionally. It should only happen on regular files and not
> > directories. Now 2.0.x and 2.1.x cleared the setuid/setgid bit on
> > directories too, and that got fixed. However it looks like it
> > got fixed a bit too much :/
>
> man 2 chown
>
> When the owner or group of an executable file are changed
> by a non-super-user, the S_ISUID and S_ISGID mode bits are
> cleared. POSIX does not specify whether this also should
> happen when root does the chown; the Linux behaviour
> depends on the kernel version. In case of a non-group-
> executable file (with clear S_IXGRP bit) the S_ISGID bit
> indicates mandatory locking, and is not cleared by a
> chown.
>
> So David Niemi's code is quite correct, but I must admit I like root
> changing uid to clear S_ISUID and changing gid to clear S_ISGID.
> David, what was the reason to treat root differently? Compatibility with
> SunOS 4.1.4 and 5.1.5, which behave the same as linux-2.2.0?
Right, the new behavior is intended to exactly match SunOS/Solaris and is
should be more consistent with the rest of UNIX in general. The old
behavior was highly nonstandard and made group-controlled permissions on
directories (e.g. with CVS) rather impractical (and for that matter didn't
even match its own comments or man page).
I consulted POSIX and UNIX98 as well, but they did not have anything to say
about root doing chown and chgrp, so I went for "standard UNIX practice".
I'm also skeptical there is any compelling security reason to drop setuid
when root is doing a chown/chgrp, if root can chown it root can just as
well chmod it again afterwards. Also, if root chowning causes bits in
permissions to be cleared, it can result in some utilities not preserving
permissions as expected when doing copies and restores (depending on the
order the utility does the chown and chmod in).
Paraphrasing from POSIX.1/UNIX98 by Andrew Josey of TOG:
> Unless chown() is invoked by a process with appropriate privileges,
> the set-user-ID and set-group-ID bits of a regular file will be cleared
> upon successful completion; the set-user-ID and set-group-ID bits of
> other file types may be cleared. If the process has appropriate
> privileges it is implementation defined whether the bits are cleared.
>
> The specification only defines the behavior for regular files, and
> intentionally says it "may be cleared" on other file types to allow
> implementations to use these bits in other ways for directories and
> other files. For example on many systems (at least SVR4) doing a chmod
> g+s on a directory causes files to be created in that directory to take
> on the group ownership of the directory.
Anyone care to check behavior on *BSD, Digital/Compaq UNIX, HP/UX,
UnixWare, AIX, etc.? Don't forget, directories are treated different from
files and sgid bits may be treated differently from suid bits.
--- David C Niemi ---niemi at tux.org--- Reston, Virginia, USA ---
But only the man who cares about something in itself, who loves
it and does it *con amore*, will do it in all seriousness. The
highest achievement has always been that of such men, and not of
the hacks who serve for pay. -- Arthur Schopenhauer
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
> > GAK!!! Security flaw here, methinks. chown should unconditionally clear
> > setuid and setgid.
>
> Except when done by root
Race condition if you can figure out what root is doing -- just setuid
between time root examines files and chown.
Alternatively, security bug if chown is used in a script written under
2.0 (which relies on the current behavior).
--
Raul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Hi,
On Mon, 11 Jan 1999 15:40:02 +0000 (GMT), alan@lxorguk.ukuu.org.uk
(Alan Cox) said:
>> In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
>> GAK!!! Security flaw here, methinks. chown should unconditionally clear
>> setuid and setgid.
> Except when done by root
Is there any consensus on this? According to singleunix, suid and
sgid on regular files get cleared unconditionally except when the
caller has "appropriate privileges", but in that case the behaviour is
implementation-defined. What do other unixen do in this case?
--Stephen
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

> Race condition if you can figure out what root is doing -- just setuid
> between time root examines files and chown.
If you can edit a file root is planning to setuid root then there are
bigger problems anyway
> Alternatively, security bug if chown is used in a script written under
> 2.0 (which relies on the current behavior).
Name one.
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Mon, 11 Jan 1999, System Administrator wrote:
> Forgive my stupidity, but under 2.0.x i always considered the setuid loss
> on chown a flaw. I, personally, feel it should keep the setuid bit. If
> you're chowning something YOU own, setuid'd to you, why take the bit off??
> Am I missing something trivial here?
All togeather too often, sysadms will chown a mess of users files to root
to prevent the user from playing with them.. opps.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

> > Race condition if you can figure out what root is doing -- just setuid
> > between time root examines files and chown.
Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
> If you can edit a file root is planning to setuid root then there are
> bigger problems anyway
Since when should chown root mean setuid root?
> > Alternatively, security bug if chown is used in a script written under
> > 2.0 (which relies on the current behavior).
>
> Name one.
Hmm... I was envisioning making root owner on files when a user
is being removed from system.
--
Raul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

"Stephen C. Tweedie" wrote:
>
> Hi,
>
> On Mon, 11 Jan 1999 15:40:02 +0000 (GMT), alan@lxorguk.ukuu.org.uk
> (Alan Cox) said:
>
> >> In message <19990109215152.C32046@kitenet.net>, Joey Hess writes:
>
> >> GAK!!! Security flaw here, methinks. chown should unconditionally clear
> >> setuid and setgid.
>
> > Except when done by root
>
> Is there any consensus on this? According to singleunix, suid and
> sgid on regular files get cleared unconditionally except when the
> caller has "appropriate privileges", but in that case the behaviour is
> implementation-defined. What do other unixen do in this case?
Solaris 2.5.1 retains suid and sgid...
# chmod g+x blub
# ls -l blub
-rw-rwxr-- 1 root other 0 Jan 12 08:23 blub
# chmod +x blub
# chmod +s blub
# ls -l blub
-rwsrwsr-- 1 root other 0 Jan 12 08:23 blub
# chown eastep blub
# ls -l blub
-rwsrwsr-- 1 eastep other 0 Jan 12 08:23 blub
# uname -a
SunOS eastep-5 5.5.1 Generic sun4m sparc SUNW,SPARCstation-20
#
-Tom
--
Tom Eastep
Compaq Computer Corporation
Enterprise Computing Group
Tandem Division
tom.eastep@compaq.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

> Hmm... I was envisioning making root owner on files when a user
> is being removed from system.
Then you should be clearing the setuid bit first - good example though.
I don't actually care too much which behaviour is used. The important stuff
the change fixed was the dangerously wrong clearing of those bits on a directory
that got chowned. The "if root" stuff is a side issue.
Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Tue, 12 Jan 1999, Raul Miller wrote:
> > > Race condition if you can figure out what root is doing -- just setuid
> > > between time root examines files and chown.
That race condition still exists in Linux 2.0.x. So if you are vulnerable
to this attack in 2.2 you are also vulnerable in 2.0.x, it just may be a
little harder to exploit.
> Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
> > If you can edit a file root is planning to setuid root then there are
> > bigger problems anyway
>
> Since when should chown root mean setuid root?
Since always in standard UNIX practice, if the file is already setuid.
> > > Alternatively, security bug if chown is used in a script written under
> > > 2.0 (which relies on the current behavior).
> >
> > Name one.
>
> Hmm... I was envisioning making root owner on files when a user
> is being removed from system.
A very bad practice -- if you are running around chowning things to root
without looking at what you're chowning, either directly or though a
script, you are in for a lot of trouble anyway the moment you venture
outside a pure-Linux environment. Remedies include using an unprivileged
ID to chown to; mounting your user-writable partitions nosuid (or even
noexec); and regularly looking for suid files, e.g. AFTER you do your big
chowns.
Please look at other major versions of UNIX, and write back if you can find
at least one major flavor which has the behavior you want. I have checked
IRIX, AIX, Solaris 2.x, and SunOS 4.x -- they are consistent with the new
Linux behavior when chowning setuid files as root. I don't have any
Digital UNIX, BSD, SCO, UnixWare, or HP/UX systems handy right now, but if
you can find different behavior in ANY of them I'd like to hear about it.
--- David C Niemi ---niemi at tux.org--- Reston, Virginia, USA ---
But only the man who cares about something in itself, who loves
it and does it *con amore*, will do it in all seriousness. The
highest achievement has always been that of such men, and not of
the hacks who serve for pay. -- Arthur Schopenhauer
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Tue, 12 Jan 1999, David C Niemi wrote:
# Please look at other major versions of UNIX, and write back if you can find
# at least one major flavor which has the behavior you want. I have checked
I tried SCO 3.x and it behaves as 2.1 does. I would have checked our Xenix
box but it crashed sometime last year and no one bothered to bring it up
again ;)
G'day!
-- n i c h o l a s j l e o n
elegance through simplicity*http://mrnick.binary9.net*nicholas@binary9.net
good fortune through truth*roaming:njllm@email.msn.com*ICQ#2170994*U+($++)
TRA#6805*not all questions have answers*pseudogeek:P+++($++)L+($++)W=lm@b9
trust no-one with an iq under 150*understand yourself before trying others
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Mon, Jan 11, 1999 at 09:25:17PM -0500, David C Niemi wrote:
% Right, the new behavior is intended to exactly match SunOS/Solaris and is
% should be more consistent with the rest of UNIX in general. The old
% behavior was highly nonstandard and made group-controlled permissions on
% directories (e.g. with CVS) rather impractical (and for that matter didn't
% even match its own comments or man page).
I don't think anyone's arguing against this part of the change (changing
the behavior of chown on set-id directories).
% I consulted POSIX and UNIX98 as well, but they did not have anything to say
% about root doing chown and chgrp, so I went for "standard UNIX practice".
The problem with this "standard UNIX practice" (for chown on set-id files)
is that set-id is used to mean "set the euid (egid) to *this* user (group)".
That is, it is used when someone wants a program to run with a specific set
of privileges, not the just the privileges of whatever the owner/group of
the file happen to be. Thus when chowned, the file has effectively suddenly
*become* a set-id file from the point-of-view of the new privileges---a
change which is likely to be undesirable (and exploitable). Clearing the
set-id status during a chmod seems to be the best way to avoid this
difficulty within the limitations of UNIX's security model.
% I'm also skeptical there is any compelling security reason to drop setuid
% when root is doing a chown/chgrp, if root can chown it root can just as
% well chmod it again afterwards.
One could make the exact opposite argument: Since root can chmod the file
afterwards, there is no need to preserve the bits; root can always restore
them if that's what it really wants.
In any case there is a security problem: When chowning any file there is
a race condition where the owner sets the suid bit just before the chown
(so chmoding it first doesn't help) and executes the file just afterwards
(so chmoding it after doesn't, either). This means that root chowning
*any* file while the old owner is running a process exposes the new owner
to a break-in by the old. I don't see any way around this except crossing
one's fingers and hoping the old owner doesn't luck out and get the timing
right.
% Also, if root chowning causes bits in
% permissions to be cleared, it can result in some utilities not preserving
% permissions as expected when doing copies and restores (depending on the
% order the utility does the chown and chmod in).
This is a problem that would exist anyway, since this behavior is normal
for non-root users. And since Linux utilities are already used to the old
behavior, this bug would mostly be fixed already. (And personally, I'd
rather risk a few slightly buggy tools than a potential security exploit
in the kernel.)
Mark
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Tue, 12 Jan 1999, Mark Jefferys wrote:
[I wrote]
> % I consulted POSIX and UNIX98 as well, but they did not have anything to say
> % about root doing chown and chgrp, so I went for "standard UNIX practice".
>
> The problem with this "standard UNIX practice" (for chown on set-id files)
> is that set-id is used to mean "set the euid (egid) to *this* user (group)".
> That is, it is used when someone wants a program to run with a specific set
> of privileges, not the just the privileges of whatever the owner/group of
> the file happen to be. Thus when chowned, the file has effectively suddenly
> *become* a set-id file from the point-of-view of the new privileges---a
> change which is likely to be undesirable (and exploitable). Clearing the
> set-id status during a chmod seems to be the best way to avoid this
> difficulty within the limitations of UNIX's security model.
There is also the principle of "least surprise", which argues against
making implicit and nonstandard actions that the user did not ask for. If
we clear that bit we are going against standard UNIX practice, so far
verified on SunOS 4, Solaris 2, AIX, IRIX, and even SCO. That's not to say
we shouldn't do it, but we had better have a very compelling reason to be
that nonstandard.
And for the security implications, experienced system administrators expect
that chowning files to root could be dangerous, and shouldn't be done
without the same caution required when adding setuid bits.
> % I'm also skeptical there is any compelling security reason to drop setuid
> % when root is doing a chown/chgrp, if root can chown it root can just as
> % well chmod it again afterwards.
>
> One could make the exact opposite argument: Since root can chmod the file
> afterwards, there is no need to preserve the bits; root can always restore
> them if that's what it really wants.
I can buy this in the case of non-root files chown'd to root; though not in
the case of setgid files being chown'd or setuid files being chgrp'd or
setuid nonroot files being chown'd to another nonroot user.
> In any case there is a security problem: When chowning any file there is
> a race condition where the owner sets the suid bit just before the chown
> (so chmoding it first doesn't help) and executes the file just afterwards
> (so chmoding it after doesn't, either). This means that root chowning
> *any* file while the old owner is running a process exposes the new owner
> to a break-in by the old. I don't see any way around this except crossing
> one's fingers and hoping the old owner doesn't luck out and get the timing
> right.
This is true, but this race condition might exist even if the clearing of
the suid bit is done in the kernel, it requires checking on what the lower
levels of chown/chmod do for locking. This might even be
file-system-specific.
> % Also, if root chowning causes bits in
> % permissions to be cleared, it can result in some utilities not preserving
> % permissions as expected when doing copies and restores (depending on the
> % order the utility does the chown and chmod in).
>
> This is a problem that would exist anyway, since this behavior is normal
> for non-root users. And since Linux utilities are already used to the old
> behavior, this bug would mostly be fixed already. (And personally, I'd
> rather risk a few slightly buggy tools than a potential security exploit
> in the kernel.)
I don't think this security risk is very large, but OTOH the value of not
clearing setuid bits when chowning to root is fairly small. Here's what I
suggest:
- Figure out what the remaining UNIX OSes do (BSD, Compaq/Digital UNIX, and
HP/UX). I am a bit concerned about Linux being completely nonstandard, and
even if no-one else does what is proposed it would be a good idea to
document this in the code and man page. OTOH POSIX and Linux98 clearly
permit the proposed behavior and the current behavior.
- If someone would like to code up a patch for the narrow case of chown to
root of non-root setuid files, please go ahead and send it to Alan and
Linus for review. Note that the locking needs to be looked into. Also
chowns to nonroot and chgrps should not clear the bits, nor should a chown
to root clear setgid bits, nor should sgid or suid bits be cleared on
directories. Only the narrow case should be changed.
I haven't heard comment by Linus; Alan doesn't feel strongly on this issue
and in the narrow case indicated neither do I aside from my concern about
nonstandard behavior.
--- David C Niemi ---niemi at tux.org--- Reston, Virginia, USA ---
But only the man who cares about something in itself, who loves
it and does it *con amore*, will do it in all seriousness. The
highest achievement has always been that of such men, and not of
the hacks who serve for pay. -- Arthur Schopenhauer
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

> > % I consulted POSIX and UNIX98 as well, but they did not have anything to say
> > % about root doing chown and chgrp, so I went for "standard UNIX practice".
> >
> > The problem with this "standard UNIX practice" (for chown on set-id files)
> > is that set-id is used to mean "set the euid (egid) to *this* user (group)".
> > That is, it is used when someone wants a program to run with a specific set
> > of privileges, not the just the privileges of whatever the owner/group of
> > the file happen to be. Thus when chowned, the file has effectively suddenly
> > *become* a set-id file from the point-of-view of the new privileges---a
> > change which is likely to be undesirable (and exploitable). Clearing the
> > set-id status during a chmod seems to be the best way to avoid this
> > difficulty within the limitations of UNIX's security model.
>
> There is also the principle of "least surprise", which argues against
> making implicit and nonstandard actions that the user did not ask for. If
> we clear that bit we are going against standard UNIX practice, so far
> verified on SunOS 4, Solaris 2, AIX, IRIX, and even SCO. That's not to say
> we shouldn't do it, but we had better have a very compelling reason to be
> that nonstandard.
> And for the security implications, experienced system administrators expect
> that chowning files to root could be dangerous, and shouldn't be done
> without the same caution required when adding setuid bits.
Or there's the possibility that clearing the setUID bits will break
some scripts. Even if the scripts themselves aren't setUID, the
programs they exec might very well be. If adduser or something
changes owner of a setUID program when it's installed, then the script
has to be rewritten. Unlikely, but possible, and experienced admins
expect standard utilities to operate in a certain manner.
--
Robert Kiesling
kiesling@ix.netcom.com
--
Robert Kiesling
kiesling@ix.netcom.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Tue, 12 Jan 1999, Raul Miller wrote:
> > > > Race condition if you can figure out what root is doing -- just setuid
> > > > between time root examines files and chown.
David C Niemi <niemi@tux.org> wrote:
> That race condition still exists in Linux 2.0.x. So if you are vulnerable
> to this attack in 2.2 you are also vulnerable in 2.0.x, it just may be a
> little harder to exploit.
How so?
Under 2.0, chown root cleared setuid.
--
Raul
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

On Sun, 10 Jan 1999, Brandon S. Allbery KF8NH wrote:
| GAK!!! Security flaw here, methinks. chown should unconditionally clear
| setuid and setgid.
While in a way I can somewhat see your reasoning, I disagree. If you're
running chown on a file yet not really changing the owner or group (from
root to root again as in this case) I see no problem with leaving
setuid/setgid as they are. Unless, of course, I'm missing something.
--
Shawn K. Quinn - skquinn@southernaccess.net
Posting from a fake address is letting the spammers win
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/