Re: chown and security
Richard Gooch (rgooch@atnf.CSIRO.AU)
Sun, 8 Feb 1998 18:40:49 +1100
Andi Kleen writes:
> Andries.Brouwer@cwi.nl writes:
>
> > Updating the man pages for system calls, I noticed
> > that we have an lchown these days. Hopefully everybody
> > is aware of the fact that every old chown(1) is now a
> > security risk on every recent Linux system.
> > ["chown -R foo /home/bar" will now change the ownership
> > of /etc/passwd if there was a symbolic link to that
> > under /home/bar.]
>
> This is very bad. Perhaps the behaviour should be made an sysctl
> option, with the default to the old chown semantics.
The new Linux behaviour is consistent with Solaris, Dec Unix and IRIX,
to name a few. And it is also consistent with other syscalls in Linux
and other OS's. Hence, IMHO it is the correct behaviour and a sysctl
is not needed.
The <chown> utility should be modified to use <lchown> instead, and an
option given to control this.
Regards,
Richard....
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu