GNU bug report logs -
#52481
chown of coreutils may delete the suid of file
Previous Next
Reported by: "21625039" <21625039 <at> zju.edu.cn>
Date: Tue, 14 Dec 2021 14:53:01 UTC
Severity: normal
Tags: notabug
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 52481 in the body.
You can then email your comments to 52481 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#52481; Package
coreutils.
(Tue, 14 Dec 2021 14:53:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
"21625039" <21625039 <at> zju.edu.cn>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Tue, 14 Dec 2021 14:53:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I encountered a problem with chown on my fedora34 as the version of
coreutils is 8.32.
The reproduce process could see the steps blow:
[root <at> fedora ~]# ll test.txt
-rw-r--r--. 1 root root 0 Dec 13 21:13 test.txt
[root <at> fedora ~]# chmod 4750 test.txt
[root <at> fedora ~]# ll test.txt
-rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt
[root <at> fedora ~]# chown root:root test.txt
[root <at> fedora ~]# ll test.txt
-rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt
[root <at> fedora ~]# rpm -qa coreutils
coreutils-8.32-19.fc34.x86_64
[root <at> fedora ~]# cat /etc/fedora-release
Fedora release 34 (Thirty Four)
Looking forward to hearing from you!
Thanks.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#52481; Package
coreutils.
(Tue, 14 Dec 2021 15:34:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
On Tuesday, December 14, 2021 3:49:37 AM CET 21625039 wrote:
> I encountered a problem with chown on my fedora34 as the version of
> coreutils is 8.32.
>
>
>
> The reproduce process could see the steps blow:
>
> [root <at> fedora ~]# ll test.txt
>
> -rw-r--r--. 1 root root 0 Dec 13 21:13 test.txt
>
> [root <at> fedora ~]# chmod 4750 test.txt
>
> [root <at> fedora ~]# ll test.txt
>
> -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt
>
> [root <at> fedora ~]# chown root:root test.txt
>
> [root <at> fedora ~]# ll test.txt
>
> -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt
I believe this is already documented [1]:
"The chown command sometimes clears the set-user-ID or set-group-ID
permission bits. This behavior depends on the policy and functionality
of the underlying chown system call, which may make system-dependent
file mode modifications outside the control of the chown command."
Kamil
[1] https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html
> [root <at> fedora ~]# rpm -qa coreutils
>
> coreutils-8.32-19.fc34.x86_64
>
> [root <at> fedora ~]# cat /etc/fedora-release
>
> Fedora release 34 (Thirty Four)
>
>
>
> Looking forward to hearing from you!
>
> Thanks.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#52481; Package
coreutils.
(Tue, 14 Dec 2021 15:34:02 GMT)
Full text and
rfc822 format available.
Added tag(s) notabug.
Request was from
Paul Eggert <eggert <at> cs.ucla.edu>
to
control <at> debbugs.gnu.org.
(Tue, 14 Dec 2021 18:09:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
52481 <at> debbugs.gnu.org and "21625039" <21625039 <at> zju.edu.cn>
Request was from
Paul Eggert <eggert <at> cs.ucla.edu>
to
control <at> debbugs.gnu.org.
(Tue, 14 Dec 2021 18:09:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#52481; Package
coreutils.
(Sat, 18 Dec 2021 00:20:02 GMT)
Full text and
rfc822 format available.
Message #18 received at 52481 <at> debbugs.gnu.org (full text, mbox):
21625039 wrote:
> [root <at> fedora ~]# ll test.txt
> -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt
>
> [root <at> fedora ~]# chown root:root test.txt
> [root <at> fedora ~]# ll test.txt
> -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt
That is a feature of the Linux kernel, OpenBSD kernel, and NetBSD
kernel, and I presume of other kernels too. I know that traditional
Unix systems did not. But this is done by the kernel as a security
mitigation against some types of attack.
For example a user might have a file which is in their own directory
tree. It might be executable and setuid. Then through a social
engineering attack they coerce root into copying the file or otherwise
taking ownership of the directory tree because they are hoping to make
use of the now newly chowned root file that is executable.
Therefore as a security mitigation implemented by the OS kernel the
setuid bit is removed when chown'ing files. If this is truly desired
then the file can be chmod'd explicitly after chown'ing the file.
This is entirely a kernel behavior and not of chown(1). This isn't
specific to chown(1) command line utility at all. For example you can
test that the same behavior from the kernel exists when using any
programming language. It will have the same behavior. Without
Coreutils involved at all.
# ll test.txt
-rwsr-xr-x 1 rwp rwp 0 Dec 17 17:13 test.txt
# perl -e 'chown 0, 0, "test.txt" or die;'
# ll test.txt
-rwxr-xr-x 1 root root 0 Dec 17 17:13 test.txt
Bob
Message sent on
to
"21625039" <21625039 <at> zju.edu.cn>:
bug#52481.
(Sat, 18 Dec 2021 00:20:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 15 Jan 2022 12:24:07 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 150 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.