chown security problem

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

chown security problem

From:	Kirill Korotaev
Subject:	chown security problem
Date:	Thu, 17 Feb 2005 10:58:28 +0300
User-agent:	Mozilla/5.0 (X11; U; Linux i686; ru-RU; rv:1.2.1) Gecko/20030426

Hello all,

I recently found that chown tries to keep SUID bit the same as it wasfor previous user. I think it is totally wrong and unsecure!

It leads to hard-exploitable race when user triggers SUID bit on itsfile and superuser changes owner to itself.


make under user:
$ touch aaa
$ chmod 755 aaa
$ ls -l aaa
-rwxr-xr-x    1 user    user            0 Фев 16 14:00 aaa
$ chmod 04755 aaa

make under root:
# strace chown root:root aaa
[...]
lstat64("aaa", {st_mode=S_IFREG|S_ISUID|0755, st_size=0, ...}) = 0
chown32("aaa", 0, 0)                    = 0
chmod("aaa", 0104755)                   = 0   <<<<<<< OOOOOPPPPSSSSSS
exit_group(0)                           = ?
# ls -l aaa
-rwsr-xr-x    1 root     root            0 Фев 16 14:01 aaa

Kirill

[Prev in Thread]

Current Thread

[Next in Thread]

chown security problem, Kirill Korotaev <=
- Re: chown security problem, Dmitry V. Levin, 2005/02/17

Prev by Date: Re: Bug in pwd
Next by Date: Re: chown security problem
Previous by thread: Bug in pwd
Next by thread: Re: chown security problem
Index(es):
- Date
- Thread