From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 14 09:52:10 2021 Received: (at submit) by debbugs.gnu.org; 14 Dec 2021 14:52:10 +0000 Received: from localhost ([127.0.0.1]:57915 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mx99z-0004Pd-Pi for submit@debbugs.gnu.org; Tue, 14 Dec 2021 09:52:09 -0500 Received: from lists.gnu.org ([209.51.188.17]:41958) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <21625039@zju.edu.cn>) id 1mwxt5-0000zb-A8 for submit@debbugs.gnu.org; Mon, 13 Dec 2021 21:49:56 -0500 Received: from eggs.gnu.org ([209.51.188.92]:41998) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <21625039@zju.edu.cn>) id 1mwxt5-0003KB-31 for bug-coreutils@gnu.org; Mon, 13 Dec 2021 21:49:55 -0500 Received: from zg8tmty1ljiyny4xntqumjca.icoremail.net ([165.227.154.27]:54072) by eggs.gnu.org with smtp (Exim 4.90_1) (envelope-from <21625039@zju.edu.cn>) id 1mwxt0-0006jY-SB for bug-coreutils@gnu.org; Mon, 13 Dec 2021 21:49:54 -0500 Received: from DESKTOPISTUML2 (unknown [119.3.119.18]) by mail-app2 (Coremail) with SMTP id by_KCgCXn8NABrhhPzRIAA--.63159S3; Tue, 14 Dec 2021 10:49:37 +0800 (CST) From: "21625039" <21625039@zju.edu.cn> To: Subject: chown of coreutils may delete the suid of file Date: Tue, 14 Dec 2021 10:49:37 +0800 Message-ID: <003501d7f095$3ce54250$b6afc6f0$@zju.edu.cn> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0036_01D7F0D8.4B0A7E20" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdfwlFzg7fsg9glNSXOPgpHHVH1DCQ== Content-Language: zh-cn X-CM-TRANSID: by_KCgCXn8NABrhhPzRIAA--.63159S3 X-Coremail-Antispam: 1UD129KBjvdXoWrGr43GryDGF4xZr4DWF17KFg_yoWxWrXEk3 yjvF9xJw4q9342qryaqwn5WrsxZrWUX34Fqa409w48tFyxZ3W8tF9Fqr95Cr1kJa15ArZI kr95Wr48Zas0vjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUU15kYjsxI4VWxJwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z2 80aVCY1x0267AKxVW0oVCq3wAa7VA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW0oVCq3VA2 z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s0E7I0Y6sxI4wAa7VA2z4x0Y4vE2Ix0cI8IcVCY1x 0267AKxVW0oVCq3VA2z4x0Y4vEx4A2jsIE14v26rxl6s0q6x02cVCv0xWlnx0E84ACjcxK 6xIIjxv20xvEc7CjxVAFwI0_GcCE3s0E7I0Y6sxI4wAac4AC62xK8xCEY4vEwIxC4wAS0I 0E0xvYzxvE52x082IY62kv0487Mc02F40Eb7x2x7xS6rWj6F1UMc02F40E57IF67AEF4xI wI1l5I8CrVAKz4kIr2xC04v26r4j6ryUMc02F40E42I26xC2a48xMcIj6xIIjxv20xvE14 v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY c2Ij64vIr41l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4 xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1j6r15 MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I 0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWU JVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x07UM89 _UUUUU= X-CM-SenderInfo: qsrwjkaqtzq6lmxovvfxof0/ Received-SPF: pass client-ip=165.227.154.27; envelope-from=21625039@zju.edu.cn; helo=zg8tmty1ljiyny4xntqumjca.icoremail.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Tue, 14 Dec 2021 09:52:06 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) This is a multipart message in MIME format. ------=_NextPart_000_0036_01D7F0D8.4B0A7E20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I encountered a problem with chown on my fedora34 as the version of coreutils is 8.32. The reproduce process could see the steps blow: [root@fedora ~]# ll test.txt -rw-r--r--. 1 root root 0 Dec 13 21:13 test.txt [root@fedora ~]# chmod 4750 test.txt [root@fedora ~]# ll test.txt -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt [root@fedora ~]# chown root:root test.txt [root@fedora ~]# ll test.txt -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt [root@fedora ~]# rpm -qa coreutils coreutils-8.32-19.fc34.x86_64 [root@fedora ~]# cat /etc/fedora-release Fedora release 34 (Thirty Four) Looking forward to hearing from you! Thanks. ------=_NextPart_000_0036_01D7F0D8.4B0A7E20 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I = encountered a problem with chown on my fedora34 as the version of = coreutils is 8.32.

 

The reproduce process could see the steps = blow:

[root@fedora= ~]# ll test.txt

-rw-r--r--. = 1 root root 0 Dec 13 21:13 test.txt

[root@fedora= ~]# chmod 4750 test.txt

[root@fedora= ~]# ll test.txt

-rwsr-x---. = 1 root root 0 Dec 13 21:13 test.txt

[root@fedora= ~]# chown root:root test.txt

[root@fedora= ~]# ll test.txt

-rwxr-x---. = 1 root root 0 Dec 13 21:13 test.txt

[root@fedora= ~]# rpm -qa coreutils

coreutils-8.= 32-19.fc34.x86_64

[root@fedora= ~]# cat /etc/fedora-release

Fedora = release 34 (Thirty Four)

 <= /o:p>

Looking = forward to hearing from you!

Thanks.=

 

------=_NextPart_000_0036_01D7F0D8.4B0A7E20-- From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 14 10:33:56 2021 Received: (at submit) by debbugs.gnu.org; 14 Dec 2021 15:33:56 +0000 Received: from localhost ([127.0.0.1]:59317 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mx9oS-0005mm-8R for submit@debbugs.gnu.org; Tue, 14 Dec 2021 10:33:56 -0500 Received: from lists.gnu.org ([209.51.188.17]:38060) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mx9oQ-0005me-0N for submit@debbugs.gnu.org; Tue, 14 Dec 2021 10:33:54 -0500 Received: from eggs.gnu.org ([209.51.188.92]:55602) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mx9oP-0000kD-M0 for bug-coreutils@gnu.org; Tue, 14 Dec 2021 10:33:53 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:43286) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mx9oM-0005d7-7V for bug-coreutils@gnu.org; Tue, 14 Dec 2021 10:33:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639496029; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6bWw9VFbeWYo641syG4foc3sDHtjkvIO5GqzCmpul+k=; b=etARzpYWlesWRKP4tUTtZhpPwHG7GZa5Plya/T7rZ7uYo7Tt3/JS8cIWrMzV1iGi00R3PQ A5loYVq1q+iljgV8fxMXMC5jnR735fVEM+VpEkqwsA+N4/B5krduHwY9AQQZbGdhwn+UQ7 EQ+uJ3dEMerJA5sUWojAaKqUe88wo2k= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-314-mbtpbaNWPQKFzXuiUUV7jg-1; Tue, 14 Dec 2021 10:33:45 -0500 X-MC-Unique: mbtpbaNWPQKFzXuiUUV7jg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 98FB396DD13; Tue, 14 Dec 2021 15:33:03 +0000 (UTC) Received: from nbkamil.localnet (unknown [10.43.7.71]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B2CE678AAF; Tue, 14 Dec 2021 15:33:01 +0000 (UTC) From: Kamil Dudka To: 21625039 <21625039@zju.edu.cn> Subject: Re: bug#52481: chown of coreutils may delete the suid of file Date: Tue, 14 Dec 2021 16:33:00 +0100 Message-ID: <3142607.mvXUDI8C0e@nbkamil> In-Reply-To: <003501d7f095$3ce54250$b6afc6f0$@zju.edu.cn> References: <003501d7f095$3ce54250$b6afc6f0$@zju.edu.cn> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=kdudka@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Received-SPF: pass client-ip=170.10.133.124; envelope-from=kdudka@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -34 X-Spam_score: -3.5 X-Spam_bar: --- X-Spam_report: (-3.5 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.716, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: bug-coreutils@gnu.org, 52481@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) On Tuesday, December 14, 2021 3:49:37 AM CET 21625039 wrote: > I encountered a problem with chown on my fedora34 as the version of > coreutils is 8.32. > > > > The reproduce process could see the steps blow: > > [root@fedora ~]# ll test.txt > > -rw-r--r--. 1 root root 0 Dec 13 21:13 test.txt > > [root@fedora ~]# chmod 4750 test.txt > > [root@fedora ~]# ll test.txt > > -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt > > [root@fedora ~]# chown root:root test.txt > > [root@fedora ~]# ll test.txt > > -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt I believe this is already documented [1]: "The chown command sometimes clears the set-user-ID or set-group-ID permission bits. This behavior depends on the policy and functionality of the underlying chown system call, which may make system-dependent file mode modifications outside the control of the chown command." Kamil [1] https://www.gnu.org/software/coreutils/manual/html_node/chown-invocation.html > [root@fedora ~]# rpm -qa coreutils > > coreutils-8.32-19.fc34.x86_64 > > [root@fedora ~]# cat /etc/fedora-release > > Fedora release 34 (Thirty Four) > > > > Looking forward to hearing from you! > > Thanks. From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 14 13:08:24 2021 Received: (at control) by debbugs.gnu.org; 14 Dec 2021 18:08:24 +0000 Received: from localhost ([127.0.0.1]:59512 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mxCDw-0001Cv-AO for submit@debbugs.gnu.org; Tue, 14 Dec 2021 13:08:24 -0500 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:33346) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mxCDu-0001Cg-6X for control@debbugs.gnu.org; Tue, 14 Dec 2021 13:08:23 -0500 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id A5A1A16010B for ; Tue, 14 Dec 2021 10:08:15 -0800 (PST) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id JaOQmW6i_gyt for ; Tue, 14 Dec 2021 10:08:15 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 110D216010D for ; Tue, 14 Dec 2021 10:08:15 -0800 (PST) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0wxwMfeII9I4 for ; Tue, 14 Dec 2021 10:08:14 -0800 (PST) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id E505D16010B for ; Tue, 14 Dec 2021 10:08:14 -0800 (PST) Message-ID: <1e8adfd6-f604-a492-c19f-57515edd3dcb@cs.ucla.edu> Date: Tue, 14 Dec 2021 10:08:14 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1 Content-Language: en-US To: control@debbugs.gnu.org From: Paul Eggert Subject: 52481 is not a bug Organization: UCLA Computer Science Department Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 52481 notabug close 52481 From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 17 19:19:45 2021 Received: (at 52481) by debbugs.gnu.org; 18 Dec 2021 00:19:46 +0000 Received: from localhost ([127.0.0.1]:40909 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1myNRx-0005jR-Jf for submit@debbugs.gnu.org; Fri, 17 Dec 2021 19:19:45 -0500 Received: from havoc.proulx.com ([96.88.95.61]:45560) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1myNRv-0005j6-55; Fri, 17 Dec 2021 19:19:43 -0500 Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id 5BDA3444; Fri, 17 Dec 2021 17:19:37 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proulx.com; s=dkim2048; t=1639786777; bh=skhYi+TN9q2CVR1lXolFRpmnJFes0xCTNUdlirOkQy0=; h=Date:From:To:Subject:References:In-Reply-To:From; b=kx5fygXIrR0Haj0L79qh6v3N1feWwfvSIZyw1pNzxFNq6WMAYBvH6BPZFlidMIV30 N32621Qivt3ENCRYjAWGfodJTuFQp5yPmnbNeoL0b53vXTFrjRL3KYZH+JdUITCM8D I3F0tTs34lbHHmWvos9uKOWRTIQmcy89O6P6khITG97nn3ahNCES+KQUa3yfeLwPYc iA81caaP6CJ8K2fy9Mxjl5D2mNxiZohhWKZWAImIiLMeEJ7hSjbO//0Kgz01uyVllD pkUJhnhcAY7yXxXJrqr/WoWiox9nqEjV7Yxu654ywGGzatyB8ztcaoHKm8DTgZ25Zs r2i1rNhpz3VhQ== Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id 1F5657A007; Fri, 17 Dec 2021 17:19:37 -0700 (MST) Received: by hysteria.proulx.com (Postfix, from userid 1000) id 0FDC62DCA9; Fri, 17 Dec 2021 17:19:36 -0700 (MST) Date: Fri, 17 Dec 2021 17:19:36 -0700 From: Bob Proulx To: 52481@debbugs.gnu.org, 52481-submitter@debbugs.gnu.org Subject: Re: bug#52481: chown of coreutils may delete the suid of file Message-ID: <20211217170246356296468@bob.proulx.com> References: <003501d7f095$3ce54250$b6afc6f0$@zju.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003501d7f095$3ce54250$b6afc6f0$@zju.edu.cn> X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 52481 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) 21625039 wrote: > [root@fedora ~]# ll test.txt > -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt > > [root@fedora ~]# chown root:root test.txt > [root@fedora ~]# ll test.txt > -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt That is a feature of the Linux kernel, OpenBSD kernel, and NetBSD kernel, and I presume of other kernels too. I know that traditional Unix systems did not. But this is done by the kernel as a security mitigation against some types of attack. For example a user might have a file which is in their own directory tree. It might be executable and setuid. Then through a social engineering attack they coerce root into copying the file or otherwise taking ownership of the directory tree because they are hoping to make use of the now newly chowned root file that is executable. Therefore as a security mitigation implemented by the OS kernel the setuid bit is removed when chown'ing files. If this is truly desired then the file can be chmod'd explicitly after chown'ing the file. This is entirely a kernel behavior and not of chown(1). This isn't specific to chown(1) command line utility at all. For example you can test that the same behavior from the kernel exists when using any programming language. It will have the same behavior. Without Coreutils involved at all. # ll test.txt -rwsr-xr-x 1 rwp rwp 0 Dec 17 17:13 test.txt # perl -e 'chown 0, 0, "test.txt" or die;' # ll test.txt -rwxr-xr-x 1 root root 0 Dec 17 17:13 test.txt Bob From unknown Sat Jun 14 19:31:55 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 15 Jan 2022 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator