Debian Bug report logs - #112597
chown: restores suid and sgid bits after changing ownership

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrew Suffield <asuffield@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: chown: restores suid and sgid bits after changing ownership

Date: Mon, 17 Sep 2001 23:17:15 +0100

[Message part 1 (text/plain, inline)]

Package: fileutils
Version: 4.1-7
Severity: critical
Justification: root security hole
Tags: security

	      /* The change succeeded.  On some systems, the chown function
		 resets the `special' permission bits.  When run by a
		 `privileged' user, this program must ensure that at least
		 the set-uid and set-group ones are still set.  */
	      if (file_stats.st_mode & ~(S_IFMT | S_IRWXUGO)

That's just wrong (as per discussion on #debian-devel, 17/09, numerous
developers agree). Those bits are removed by the kernel for a very
good reason, chown should not restore them. If nothing else, it
deviates from expected behaviour from a unix-like system, which is
bad.

(potato's fileutils does not have this problem)

This appears in an upstream changelog entry dated 2000-12-09

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux aps100p 2.4.9 #5 Mon Sep 3 13:57:24 BST 2001 i686
Locale: LANG=C, LC_CTYPE=

Versions of packages fileutils depends on:
ii  libc6                         2.2.4-1    GNU C Library: Shared libraries an

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :                         | Dept. of Computing,
 `. `'                          | Imperial College,
   `-    http://www.debian.org/ | London, UK

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Michael Stone <mstone@debian.org>

To: Andrew Suffield <asuffield@debian.org>, 112597@bugs.debian.org

Subject: Re: Bug#112597: chown: restores suid and sgid bits after changing ownership

Date: Mon, 17 Sep 2001 20:35:06 -0400

severity wishlist
thanks

On Mon, Sep 17, 2001 at 11:17:15PM +0100, you wrote:
> 	      /* The change succeeded.  On some systems, the chown function
> 		 resets the `special' permission bits.  When run by a
> 		 `privileged' user, this program must ensure that at least
> 		 the set-uid and set-group ones are still set.  */
> 	      if (file_stats.st_mode & ~(S_IFMT | S_IRWXUGO)
> 
> That's just wrong (as per discussion on #debian-devel, 17/09, numerous
> developers agree). Those bits are removed by the kernel for a very
> good reason, chown should not restore them. 

You'll need a better thought out argument than this to get the priority
up past wishlist.

> If nothing else, it deviates from expected behaviour from a unix-like
> system, which is bad.

Quite the opposite; most will preserve the setuid bits. That argument
backfired.

-- 
Mike Stone

Message #15 received at 112597-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Suffield <asuffield@users.sourceforge.net>

To: 112597-close@bugs.debian.org

Subject: bah, fuck the users

Date: Tue, 18 Sep 2001 19:45:44 +0100

[Message part 1 (text/plain, inline)]

It's either critical or it's intended behaviour. Given the fact that
everybody I spoke to expected chown to behave like it does in potato,
I assumed it was an oversight. I hope that someday somebody bothers to
document why they changed the behaviour of such a core tool.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :                         | Dept. of Computing,
 `. `'                          | Imperial College,
   `-    http://www.debian.org/ | London, UK

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: 112597@bugs.debian.org

Subject: um, what?

Date: Sat, 29 Sep 2001 11:42:36 -0400

severity 112597 critical
thanks

This is a security problem.  Let's say I have a sticky
directory where users can copy documents to be archived.
A cronjob moves them out of this directory and files them
by date, chowning them to an unprivileged user.  If a
malicious user sets the setuid bit on one of these documents,
they may be able to gain privileges of that user and compromise
the document archives.  If you choose to work around this
bug by stripping setuid bits beforehand, you have a race
condition, as the user may be able to reset the bit
after the cronjob is done with it.  If you choose to
strip setuid bits after the chown, you have a race condition,
since the user will have time to exploit the setuid
bit before it is stripped.

Message #27 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: 112597@bugs.debian.org, asuffield@users.sourceforge.net, mstone@debian.org

Subject: chown security issues

Date: Wed, 10 Oct 2001 16:35:57 -0400

http://www.opengroup.org/onlinepubs/7908799/xcu/chown.html (close to POSIX)

...
Unless chown is invoked by a process with appropriate privileges, the
set-user-ID and set-group-ID bits of a regular file will be cleared
upon successful completion; the set-user-ID and set-group-ID bits of
other file types may be cleared.
...

I'm not sure what "appropriate privileges" are.  However, I do note
that it doesn't seem to say anything about replacing bits, and I
don't see anything in the fileutils source that clears bits in
accordance with POSIX.

Message #34 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <Florian.Weimer@RUS.Uni-Stuttgart.DE>

To: Clint Adams <schizo@debian.org>, 112597@bugs.debian.org

Subject: Re: Bug#112597: chown security issues

Date: 18 Oct 2001 17:01:39 +0200

Clint Adams <schizo@debian.org> writes:

> I'm not sure what "appropriate privileges" are.  However, I do note
> that it doesn't seem to say anything about replacing bits, and I
> don't see anything in the fileutils source that clears bits in
> accordance with POSIX.

It's up to the kernel to remove the setuid bit, and Linux 2.4.7
contains some code for this.

-- 
Florian Weimer 	                  Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

Message #39 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: Florian Weimer <Florian.Weimer@rus.uni-stuttgart.de>

Cc: 112597@bugs.debian.org

Subject: Re: Bug#112597: chown security issues

Date: Sat, 20 Oct 2001 11:26:27 -0400

> It's up to the kernel to remove the setuid bit, and Linux 2.4.7
> contains some code for this.

Yes, it does, and then chown reverses that.

Message #44 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <opal@debian.org>

To: 112597@bugs.debian.org

Subject: I think fileutils do the right thing.

Date: Wed, 17 Apr 2002 20:27:16 +0200

Hi

I just want to give some arguments on why to stay with the
current behaviour.

The argument as I see for why this is a security problem is
that if root change the owner for some suid/sgid/or_other that
is not enough.

Well YOU SHOULD ALWAYS check suid/sgid things while doing such
things, or remove them if they should not be there. But only
if this is the intention.

My opinion is that the behaviour (preserving sgid/suid) is
very good for security reasons. The reason is that you will
make it LOT easier to distribute permissions using sgid directories.

The old potato behaviour make such things hard. I think chown
should change the owner (nothing more, except group sometimes), chgrp
should change the group (nothing more) and chmod should change the
permissions (nothing more). All other things are unexpected
behaviour.

So I want you to close the bug. Yes I know that you probably
won't because other think it is a critical bug. :)

Regards,

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  +46 (0)13-17 69 83                  +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Message #49 received at 112597@bugs.debian.org (full text, mbox, reply):

From: Clint Adams <schizo@debian.org>

To: 112597@bugs.debian.org, opal@debian.org

Subject: more insecure fileutils fun

Date: Tue, 16 Jul 2002 14:01:00 -0400

> The argument as I see for why this is a security problem is
> that if root change the owner for some suid/sgid/or_other that
> is not enough.

> Well YOU SHOULD ALWAYS check suid/sgid things while doing such
> things, or remove them if they should not be there. But only
> if this is the intention.

How do you avoid the race condition which just led to an unauthorized
setuid shell for one of my users?

Message #54 received at 112597-close@bugs.debian.org (full text, mbox, reply):

From: Michael Stone <mstone@debian.org>

To: 112597-close@bugs.debian.org

Subject: Bug#112597: fixed in coreutils 5.0-5

Date: Sat, 12 Jul 2003 10:17:09 -0400

We believe that the bug you reported is fixed in the latest version of
coreutils, which is due to be installed in the Debian FTP archive:

coreutils_5.0-5.diff.gz
  to pool/main/c/coreutils/coreutils_5.0-5.diff.gz
coreutils_5.0-5.dsc
  to pool/main/c/coreutils/coreutils_5.0-5.dsc
coreutils_5.0-5_i386.deb
  to pool/main/c/coreutils/coreutils_5.0-5_i386.deb
fileutils_5.0-5_all.deb
  to pool/main/c/coreutils/fileutils_5.0-5_all.deb
shellutils_5.0-5_all.deb
  to pool/main/c/coreutils/shellutils_5.0-5_all.deb
textutils_5.0-5_all.deb
  to pool/main/c/coreutils/textutils_5.0-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 112597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Stone <mstone@debian.org> (supplier of updated coreutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Sat, 12 Jul 2003 09:11:08 -0400
Source: coreutils
Binary: shellutils coreutils fileutils textutils
Architecture: source all i386
Version: 5.0-5
Distribution: unstable
Urgency: low
Maintainer: Michael Stone <mstone@debian.org>
Changed-By: Michael Stone <mstone@debian.org>
Description: 
 coreutils  - The GNU core utilities
 fileutils  - The GNU file management utilities (transitional package)
 shellutils - The GNU shell programming utilities (transitional package)
 textutils  - The GNU text file processing utilities (transitional package)
Closes: 112597 194743 199205 200378 200542
Changes: 
 coreutils (5.0-5) unstable; urgency=low
 .
   * [23] upstream patch to make split --verbose actually verbose
     (Closes: #199205)
   * enable kill & su for freebsd (Closes: #194743)
   * [24] upstream fix for du not displaying / on last line of du /
     (Closes: #200542)
   * Build-conflict on automake1.4 (Closes: #200378)
   * chown no longer preserves setuid bits (Closes: #112597)
Files: 
 9f24a3058a10e28f9e010d856e5641c4 832 base required coreutils_5.0-5.dsc
 5de7b40d81ad233011dbfd6501550e12 23321 base required coreutils_5.0-5.diff.gz
 ceb8cd12ec6e962de6f9550f96b56ae6 4466 oldlibs extra textutils_5.0-5_all.deb
 c5d8889db8d28522907f5db09829a45a 4460 oldlibs extra fileutils_5.0-5_all.deb
 ae3f7ab5951606dcfad3e969a69d3d88 4458 oldlibs extra shellutils_5.0-5_all.deb
 1f1770a8c20e2df3315b18ea06f1a4c6 2264452 base required coreutils_5.0-5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iQCVAwUBPxAUsQ0hVr09l8FJAQHMigQAvJX9dZWpIm1G13IkWJi8D6Ox+1eUGPzY
HyirPFF+e28syaae57i3NHjjpdOF0Ej2tpe5f9tgx7CP8xmRpHtsvHr8HEyZwmZY
wqphf3wsYaFltCK4P36pua1t/L1vcZWtTG8iw58O7IynQm/h2ugioJ9A8XJOIrXC
xIm3rCCfRNw=
=Ao3p
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.