Subject: overwriting and copying keeps original setuid bit
To: None <tech-security@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: tech-security
Date: 05/11/2007 15:07:55
I noticed that overwriting an setuid file with a non-setuid file keeps the
original setuid bit.
I noticed this on an old version of NetBSD-current when I installed my
smtp outbound mail relay that is setgid (not setuid).
And reproduced on NetBSD 3.1:
ca# echo hello > abc
ca# echo something else > def
ca# chown reed def
ca# chown root abc
ca# chmod 4755 abc
ca# ls -l abc def
-rwsr-xr-x 1 root reed 6 May 11 12:57 abc
-rw-r--r-- 1 reed reed 15 May 11 12:57 def
ca# cp def abc
ca# ls -l abc def
-rwsr-xr-x 1 root reed 15 May 11 12:58 abc
-rw-r--r-- 1 reed reed 15 May 11 12:57 def
Even copying it saves the setuid:
ca# cp abc ghi
ca# ls -l ghi
-rwsr-xr-x 1 root reed 15 May 11 12:58 ghi
Now as non-root:
The following as non-root loses the setuid bit if overwritten -- but keeps
it when copying:
ca:/home/reed/tmp$ echo Hello > ABC
ca:/home/reed/tmp$ echo Goodbye > DEF
ca:/home/reed/tmp$ chmod 4755 ABC
ca:/home/reed/tmp$ ls -l ABC DEF
-rwsr-xr-x 1 reed reed 6 May 11 13:00 ABC
-rw-r--r-- 1 reed reed 8 May 11 13:00 DEF
ca:/home/reed/tmp$ cp DEF ABC
ca:/home/reed/tmp$ ls -l ABC DEF
-rwxr-xr-x 1 reed reed 8 May 11 13:01 ABC
-rw-r--r-- 1 reed reed 8 May 11 13:00 DEF
ca:/home/reed/tmp$ chmod 4755 ABC
ca:/home/reed/tmp$ cp ABC GHI
ca:/home/reed/tmp$ ls -l ABC GHI
-rwsr-xr-x 1 reed reed 8 May 11 13:01 ABC
-rwsr-xr-x 1 reed reed 8 May 11 13:01 GHI
Keeping a previous file's setuid (or setgid) is wrong.
On many systems, copying a setuid file loses the mode. Losing the mode is
normal.
Jeremy C. Reed