On Mon, Jul 07, 2003 at 11:32:18AM -0400, Robert Brockway wrote:
> On Sun, 6 Jul 2003, Ethan Benson wrote:
>
> > your example doesn't really does not demonstrate any security hole
> > anyway since you owned the file you could just as well run chmod 555
> > testfile and then executed it. even with irix behavior you cannot
> > chown a file you don't already own in the first place.
>
> Yes, you're right. I should have demonstrated it with changing gid not
> uid. This is equally doable and does show a security hole. It was late
> when I wrote that and I failed to see the obvious error in using uid.
how so? s bits are cleared on chown(2).
> > typically its not allowed when quotas are in use, im not sure whether
> > the irix behavior keeps to that or not.
>
> Linux quite happily set restrict_chown=0 on my quota enabled xfs
> filesystem. It would definately be worth having a sanity check about
> enabling both options at once.
did you check that chown() was still permitted? if so i would find
out if irix is the same. i would consider that a bug, but since its a
configurable sysctl default to a secure state its not really that big
a deal, if root wants to shoot himself in the foot, let him.
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgpCs29BYPPs6.pgp
Description: PGP signature
|