[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: address@hidden: Re: cp as root and +s]

From: Jim Meyering
Subject: Re: address@hidden: Re: cp as root and +s]
Date: Sun, 08 Jul 2001 23:24:43 +0200
User-agent: Gnus/5.090004 (Oort Gnus v0.04) Emacs/21.0.104

Thanks a lot for the report and analysis.
That is a bug in GNU cp from fileutils-4.1, since POSIX explicitly
requires that cp (with neither -p nor -a) clear the set-user-ID and
set-group-ID bits when creating new files.

Here's the patch (I'll fix the documentation, too):

Index: copy.c
RCS file: /fetish/fileutils/src/copy.c,v
retrieving revision 1.97
diff -u -p -r1.97 copy.c
--- copy.c      2001/05/12 09:58:03     1.97
+++ copy.c      2001/07/08 21:12:31
@@ -86,9 +86,11 @@ get_dest_mode (const struct cp_options *
   if (option->set_mode)
     return option->mode;
-  /* Honor the umask for `cp', but not for `mv' or `cp -p'.  */
+  /* Honor the umask for `cp', but not for `mv' or `cp -p'.
+     In addition, `cp' without -p must clear the set-user-ID and set-group-ID
+     bits.  POSIX requires it do that when creating new files.  */
   if (!option->move_mode && !option->preserve_chmod_bits)
-    mode &= option->umask_kill;
+    mode &= (option->umask_kill & ~(S_ISUID | S_ISGID));
   return mode;

address@hidden wrote:
| I thought the enclosed conversation would be of interest. prior to
| contacting solar designer i did look at the fileutils (4.1) info for cp
| and was unable to find the information he mentions. most users might not
| pick up on this subtlety  and the results could be disastrous.
| fractoid
| From: address@hidden
| Subject: Re: cp as root and +s
| To: address@hidden
| Date: Sun, 8 Jul 2001 04:42:09 +0400
| On Sat, Jul 07, 2001 at 07:08:38PM -0400, address@hidden wrote:
| Hi,
| > i'd like to ask your opinion. let's say i have a file (bin) which is suid a
| > non privileged user, which i copy to another file while i'm root.
| > The new file is now SUID *ROOT*. a reputable linux kernel developer informs
| > me that this is expected behavior for root, and i find this incredibly
| > dangerous, and unexpected.
| (This has nothing to do with the kernel, it's a property of cp.)
| > Is this something that should be prevented in secure systems?
| Yes, I think so.  This is really the expected behavior if you read the
| texinfo documentation for GNU fileutils, but I agree that most people
| wouldn't expect cp to leave the SUID and SGID bits when cp isn't told
| to also preserve the file's ownership.
| `-p'
| `--preserve'
|      Preserve the original files' owner, group, permissions, and
|      timestamps.  In the absence of this option, each destination file
|      is created with the permissions of the corresponding source file,
|      minus the bits set in the umask. *Note File permissions::.
| I think that cp without -p (and -a) should also not copy the three
| bits not controllable with umask.
| Feel free to forward this to <address@hidden> and please CC me
| if you do so.
| --
| /sd
| ----------

reply via email to

[Prev in Thread] Current Thread [Next in Thread]