Rob Windsor <windsor@warthog.com> writes:

> vfs_syscalls.c - line 1664
> 
>         /* Clear (S_ISUID | S_ISGID) bits: alter va_mode only if necessary. */
>         if (vattr.va_mode & (S_ISUID | S_ISGID))
>                 newmode = vattr.va_mode & ~(S_ISUID | S_ISGID);


> Clears any suid or sgid bits if owner or group changes.  Even something
> insane like clearing the suid bit if you change the group ownership.

Yes.

> This sucks.  Please #ifdef it or change it so that this appears when
> securelevel >1. I can't stand this behavior.  No other modern un*x in the
> world does this insane crap.  I just love `surprises' like this in NetBSD --
> not.

1) POSIX.1 *requires* chown(2) to clear the set[gu]id bits, at least
   if the caller is not the superuser.  It is implementation-dependent
   whether they are cleared if the caller is the superuser; after
   discussing this matter with Charles Hannum we decided not to check for
   that condidition; I *do* admit that one might argue about that.

2) Every "other modern un*x in the world" does this, at least for the
   non-superuser case.