GNU bug report logs -
#52481
chown of coreutils may delete the suid of file
Previous Next
Reported by: "21625039" <21625039 <at> zju.edu.cn>
Date: Tue, 14 Dec 2021 14:53:01 UTC
Severity: normal
Tags: notabug
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Full log
Message #18 received at 52481 <at> debbugs.gnu.org (full text, mbox):
21625039 wrote:
> [root <at> fedora ~]# ll test.txt
> -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt
>
> [root <at> fedora ~]# chown root:root test.txt
> [root <at> fedora ~]# ll test.txt
> -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt
That is a feature of the Linux kernel, OpenBSD kernel, and NetBSD
kernel, and I presume of other kernels too. I know that traditional
Unix systems did not. But this is done by the kernel as a security
mitigation against some types of attack.
For example a user might have a file which is in their own directory
tree. It might be executable and setuid. Then through a social
engineering attack they coerce root into copying the file or otherwise
taking ownership of the directory tree because they are hoping to make
use of the now newly chowned root file that is executable.
Therefore as a security mitigation implemented by the OS kernel the
setuid bit is removed when chown'ing files. If this is truly desired
then the file can be chmod'd explicitly after chown'ing the file.
This is entirely a kernel behavior and not of chown(1). This isn't
specific to chown(1) command line utility at all. For example you can
test that the same behavior from the kernel exists when using any
programming language. It will have the same behavior. Without
Coreutils involved at all.
# ll test.txt
-rwsr-xr-x 1 rwp rwp 0 Dec 17 17:13 test.txt
# perl -e 'chown 0, 0, "test.txt" or die;'
# ll test.txt
-rwxr-xr-x 1 root root 0 Dec 17 17:13 test.txt
Bob
This bug report was last modified 3 years and 151 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.