Thanks a lot for the report and analysis.
That is a bug in GNU cp from fileutils-4.1, since POSIX explicitly
requires that cp (with neither -p nor -a) clear the set-user-ID and
set-group-ID bits when creating new files.
Here's the patch (I'll fix the documentation, too):
Index: copy.c
===================================================================
RCS file: /fetish/fileutils/src/copy.c,v
retrieving revision 1.97
diff -u -p -r1.97 copy.c
--- copy.c 2001/05/12 09:58:03 1.97
+++ copy.c 2001/07/08 21:12:31
@@ -86,9 +86,11 @@ get_dest_mode (const struct cp_options *
if (option->set_mode)
return option->mode;
- /* Honor the umask for `cp', but not for `mv' or `cp -p'. */
+ /* Honor the umask for `cp', but not for `mv' or `cp -p'.
+ In addition, `cp' without -p must clear the set-user-ID and set-group-ID
+ bits. POSIX requires it do that when creating new files. */
if (!option->move_mode && !option->preserve_chmod_bits)
- mode &= option->umask_kill;
+ mode &= (option->umask_kill & ~(S_ISUID | S_ISGID));
return mode;
}
[EMAIL PROTECTED] wrote:
| I thought the enclosed conversation would be of interest. prior to
| contacting solar designer i did look at the fileutils (4.1) info for cp
| and was unable to find the information he mentions. most users might not
| pick up on this subtlety and the results could be disastrous.
|
|
| fractoid
| From: [EMAIL PROTECTED]
| Subject: Re: cp as root and +s
| To: [EMAIL PROTECTED]
| Date: Sun, 8 Jul 2001 04:42:09 +0400
|
| On Sat, Jul 07, 2001 at 07:08:38PM -0400, [EMAIL PROTECTED] wrote:
|
| Hi,
|
| > i'd like to ask your opinion. let's say i have a file (bin) which is suid a
| > non privileged user, which i copy to another file while i'm root.
| > The new file is now SUID *ROOT*. a reputable linux kernel developer informs
| > me that this is expected behavior for root, and i find this incredibly
| > dangerous, and unexpected.
|
| (This has nothing to do with the kernel, it's a property of cp.)
|
| > Is this something that should be prevented in secure systems?
|
| Yes, I think so. This is really the expected behavior if you read the
| texinfo documentation for GNU fileutils, but I agree that most people
| wouldn't expect cp to leave the SUID and SGID bits when cp isn't told
| to also preserve the file's ownership.
|
| `-p'
| `--preserve'
| Preserve the original files' owner, group, permissions, and
| timestamps. In the absence of this option, each destination file
| is created with the permissions of the corresponding source file,
| minus the bits set in the umask. *Note File permissions::.
|
| I think that cp without -p (and -a) should also not copy the three
| bits not controllable with umask.
|
| Feel free to forward this to <[EMAIL PROTECTED]> and please CC me
| if you do so.
|
| --
| /sd
| ----------
_______________________________________________
Bug-fileutils mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/bug-fileutils
