[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
chown security problem
From: |
Kirill Korotaev |
Subject: |
chown security problem |
Date: |
Thu, 17 Feb 2005 10:58:28 +0300 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; ru-RU; rv:1.2.1) Gecko/20030426 |
Hello all,
I recently found that chown tries to keep SUID bit the same as it was
for previous user. I think it is totally wrong and unsecure!
It leads to hard-exploitable race when user triggers SUID bit on its
file and superuser changes owner to itself.
make under user:
$ touch aaa
$ chmod 755 aaa
$ ls -l aaa
-rwxr-xr-x 1 user user 0 Фев 16 14:00 aaa
$ chmod 04755 aaa
make under root:
# strace chown root:root aaa
[...]
lstat64("aaa", {st_mode=S_IFREG|S_ISUID|0755, st_size=0, ...}) = 0
chown32("aaa", 0, 0) = 0
chmod("aaa", 0104755) = 0 <<<<<<< OOOOOPPPPSSSSSS
exit_group(0) = ?
# ls -l aaa
-rwsr-xr-x 1 root root 0 Фев 16 14:01 aaa
Kirill
- chown security problem,
Kirill Korotaev <=