bug#52481: chown of coreutils may delete the suid of file

[Bob Proulx]

21625039 wrote:
> [root@fedora ~]# ll test.txt
> -rwsr-x---. 1 root root 0 Dec 13 21:13 test.txt
> 
> [root@fedora ~]# chown root:root test.txt
> [root@fedora ~]# ll test.txt
> -rwxr-x---. 1 root root 0 Dec 13 21:13 test.txt

That is a feature of the Linux kernel, OpenBSD kernel, and NetBSD
kernel, and I presume of other kernels too.  I know that traditional
Unix systems did not.  But this is done by the kernel as a security
mitigation against some types of attack.

For example a user might have a file which is in their own directory
tree.  It might be executable and setuid.  Then through a social
engineering attack they coerce root into copying the file or otherwise
taking ownership of the directory tree because they are hoping to make
use of the now newly chowned root file that is executable.

Therefore as a security mitigation implemented by the OS kernel the
setuid bit is removed when chown'ing files.  If this is truly desired
then the file can be chmod'd explicitly after chown'ing the file.

This is entirely a kernel behavior and not of chown(1).  This isn't
specific to chown(1) command line utility at all.  For example you can
test that the same behavior from the kernel exists when using any
programming language.  It will have the same behavior.  Without
Coreutils involved at all.

    # ll test.txt
    -rwsr-xr-x 1 rwp rwp 0 Dec 17 17:13 test.txt
    # perl -e 'chown 0, 0, "test.txt" or die;'
    # ll test.txt
    -rwxr-xr-x 1 root root 0 Dec 17 17:13 test.txt

Bob