non-superuser chown(2)s considered harmful

Dan Bernstein brnstnd at kramden.acf.nyu.edu
Wed Dec 12 13:11:04 AEST 1990


In article <1990Dec10.143716.26999 at mp.cs.niu.edu> rickert at mp.cs.niu.edu (Neil Rickert) writes:
> In article <2800:Dec1001:29:4890 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
> >Exactly. This is why several people have been arguing for chown() to
> >work between current and effective uids. Does chown() have any other
> >reasonable use?
>  A great idea.  Just look at the flexibility it will provide creators of
> trojan horse programs.

That's a silly objection. It won't provide any extra flexibility, since
a program with access to another uid can always find every link to a
file, read the data, remove the links, and put in new links to a new
file under the other uid with the same data. The only time this doesn't
work is when the parent directory is not owned by either uid, but what's
the difference between ``vee haff destroyed zee enemy'' and ``vee haff
utterly destroyed zee enemy''? Trojan Horses are deadly in any case.

chown() between uid and euid will improve security for lots of system
programs without introducing any noticeable security holes.

---Dan



More information about the Comp.unix.internals mailing list