current-users: Re: chown, quotas and security

Subject: Re: chown, quotas and security
To: Chris G. Demetriou <cgd@alpha.bostic.com>
From: I can teach you how to fish... <greywolf@autodesk.com>
List: current-users
Date: 11/07/1994 14:04:24
Wow.  Hadn't even *thought* of those.  Yes, that's a pretty good motivation
for not permitting chown to users, from an administrative point of view.

I could of course argue that chowning files to root should not be permitted
unless you are the super-user, but then that's reeeeealllly stretching it.

I concede the point -- there's just too much that could go wrong, even
without the mail hole.

#define AUTHOR "cgd@alpha.bostic.com ("Chris G. Demetriou")"

/*
 * > The current state of chown(2) conforms exactly to what Berkeley intended:
 * > Since quotas may be enabled (as well as other reasons), users should not
 * > be allowed to give away files as this defeats accounting procedures.
 * > (Or something to that effect...).  The code reflects this.
 * 
 * I wasn't quite sure of all the fun implications of making chown()
 * legal for non-root users.  here are some fun ones:
 * 	(1) somebody doesn't have a mail spool file, on a system where
 * 		the mail spool directory is mode 1777.  i create
 * 		a mail spool with their name, give it permissions
 * 		such that i can read it, and chown it to them.
 * 		(note that 1777 mail spool dirs aren't the default
 * 		in NetBSD, but some people prefer them; this isn't
 * 		a straw man.)
 * 	(2) certain editors (vi, ex) will use a "local" configuration
 * 		file, if it exists in the current directory and is
 * 		owned by the invoker of the editor.
 * 		echo a_fun_ex_command > /tmp/.exrc ; chown root \
 * 			/tmp/.exrc 
 * 		INSTANT TIME BOMB!
 * 
 * unless i'm presented with _very_, _very_ strong motivation for
 * allowing chown() to normal users, in my opinion this presents too
 * large a set of potential holes to be allowed.  I don't think i'd even
 * entertain the idea of allowing the sysad to set up the standard
 * chown(8) (e.g. by making it set-id, or something) to allow users
 * to give away files.
 * 
 * It's just _not_ a good idea, regardless of whether or not quotas are on.
 * 
 * 
 * 
 * cgd
 * 
 * 
 * 
 * 
 * 
 */

#undef AUTHOR	/* "cgd@alpha.bostic.com ("Chris G. Demetriou")" */



--
 _______Wizardry is dead._____ _____WHO: Greywolf (my nameplate even says so)
/ ___\ _ \ __\ V / \  / /__ \| | __/WHAT: UNIX System Mangler...er, Admin
\ \| |   < _| ` ' \ '` / \/ /|_| _/ WHERE: Autodesk, Inc.  3 Harbor Dr.
 \___|_|\_\__\|_|  \/\/ \__/___/_|  Sausalito, CA 94965 (415) 332-2344 x4219
	see also: gandalf@netcom.com