rock-and-roll [Re: Retaining file permissions] [long]

John F Haugh II jfh at rpp386.cactus.org
Thu Mar 7 11:07:44 AEST 1991


The attribution of this article is completely screwed up.  Apologies are
made in advance to everyone involved ...

In article <7391 at mentor.cc.purdue.edu> asg at sage.cc.purdue.edu (The Grand Master) writes:
>In article <1991Mar1.173548.8371 at athena.mit.edu> (Jonathan Kamens) write:
>}  This is an ASSUMPTION.  Can you prove, exhaustively, that if a user can,
>}through some security hole, make a file executable on a Unix system, it
>}follows that they can also make it setuid?
>
>                                      It is not logical to even dream
>that it would be possible to change one bit on a file permission without being
>able to change any of them.

Your logic is fairly correct - the ability to change the mode bits of a
file via some random security hole would seem to imply that you are able
to change any mode bit whatsoever, including the setuid mode bits.  This
is all very true, but also very boring.

What you have done is assumed that the problem exists, and therefore
stated that the problem probably exists - that is, assume the existence
of a security hole that would allow you to change any single bit in
the permissions and that same security hole would allow you to change
a specific bit.  You are going from the general to the specific, and
that little transformation is always permitted when making arguments
of this nature.

>}is QUITE POSSIBLE that there is a security hole which would allow someone to
>}make a file that they do not own executable, while not allowing them to make
>
>It is also quite possible that someone could turn on the suid bit without
>being able to turn on the execute bit. Do you therefore suggest we have
>the execute bit turned off upon a write to a file?

You are arguing a straw man - execute permission grants NOTHING that
=read= permission does not grant us.  In particular because =read=
permission allows us to copy the file and then set the execute permission
on the file which we know own.  On the other hand, the setuid bit does
grant additional permission and that privilege should be contained in
some fashion.  You are arguing apples and oranges.  Clearing the write bit
costs you nothing - the ability to modify a binary which you could have
copied and modified yourself.  Clearing the setuid bit costs you a
completely different something - the ability to become another user
running an arbitrary executable.

>jik at athena never did give any comments on this article, just a reply
>with some name-calling stating that he would not post it

And well he shouldn't.
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"I've never written a device driver, but I have written a device driver manual"
                -- Robert Hartman, IDE Corp.



More information about the Comp.unix.internals mailing list