On Mon, Jul 07, 2003 at 01:59:00AM -0400, Robert Brockway wrote:
> On Sun, 6 Jul 2003, Ethan Benson wrote:
>
> > my previous mail i missed that you were doing this as non-root. as
>
> I probably should have been more explicit about that.
your example doesn't really does not demonstrate any security hole
anyway since you owned the file you could just as well run chmod 555
testfile and then executed it. even with irix behavior you cannot
chown a file you don't already own in the first place.
> I'm actually surprised that xfs allows the liberal behaviour of
> restrict_chown=0 at all (as a default or not).
the linux kernel has the same ability, you could just as easily grant
all processes CAP_CHOWN.
> The potential for abuse is significant. It basically nullifies any use of
> quotas since it allows any user to force any other user over-quota at any
> time. This could result in mail bounces and all sorts of mischief.
typically its not allowed when quotas are in use, im not sure whether
the irix behavior keeps to that or not.
> Is the option there for compatability with Irix, and if so, why does Irix
> allow it?
keeping to old style unix tradition i suppose.
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgpEUJ0YemUA4.pgp
Description: PGP signature
|