chown() bug in fs/open.c
Juergen Hannappel (hannappe@lisa2.physik.uni-bonn.de)
05 Jun 1998 14:34:24 +0200
Hello,
i found a bug or at least an undocumented feature that contradicts
the comments in the file in fs/open.c in the chown() function, both present
in the 2.0.33 and 2.1.94 versions...
In the section
/*
* If the owner has been changed, remove the setuid bit
*/
if (inode->i_mode & S_ISUID) {
newattrs.ia_mode &= ~S_ISUID;
newattrs.ia_valid |= ATTR_MODE;
}
/*
* If the group has been changed, remove the setgid bit
*
* Don't remove the setgid bit if no group execute bit.
* This is a file marked for mandatory locking.
*/
if (((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) {
newattrs.ia_mode &= ~S_ISGID;
newattrs.ia_valid |= ATTR_MODE;
}
the announced checks on changed owner/group are NOT done, so the setuid/setgid
bits are cleared anyhow. A more correct version woud be
/*
* If the owner has been changed, remove the setuid bit
*/
if (inode->i_mode & S_ISUID && inode->i_uid != newattrs.ia_uid) {
newattrs.ia_mode &= ~S_ISUID;
newattrs.ia_valid |= ATTR_MODE;
}
/*
* If the group has been changed, remove the setgid bit
*
* Don't remove the setgid bit if no group execute bit.
* This is a file marked for mandatory locking.
*/
if (((inode->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))
&& inode->i_gid != newattrs.ia_gid) {
newattrs.ia_mode &= ~S_ISGID;
newattrs.ia_valid |= ATTR_MODE;
}
--
$Id: .signature,v 1.6 1998/06/04 14:00:33 hannappe Exp $ (i like/use cvs)
Dr. Juergen Hannappel Office: W205 Phone: +49 228 73 3605
mailto:hannappe@lisa2.physik.uni-bonn.de Physikalisches Institut der Uni Bonn
http://lisa2.physik.uni-bonn.de/~hannappe Nussallee 12, D-53115 Bonn, Germany
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu