Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.Hawaii.Edu!ames!enews.sgi.com!www.nntp.primenet.com!nntp.primenet.com!feed1.news.erols.com!uunet!in2.uu.net!news1.iamerica.net!xavier.varmm.com!not-for-mail From: AJ Musgrove <musgrove@xavier.varmm.com> Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Why chown(2) is privileged? Date: 20 Nov 1996 16:13:48 GMT Organization: A poorly-installed InterNetNews site Lines: 30 Message-ID: <56vans$k8j@news1.iamerica.net> References: <CANDY.96Oct24222129@xxx.fct.kgc.co.jp> <w7k9rsjv54.fsf@mud.imperium.net> NNTP-Posting-Host: 206.81.50.10 X-Newsreader: TIN [UNIX 1.3 unoff BETA release 960917] Mark Lehrer <edge@mud.imperium.net> wrote: : candy@fct.kgc.co.jp (Toshihiro Kanda) writes: : > Hello. Chown(2) fails if non super-user try to change the owner : > uid of his/her files. Why does BSD disallow non super-user to : > transfer ownership of files to the others? : Just about all Unixes do this - i'm not sure what the rationale : is, except that it is a non-reversible action... Here is the other rational. Consider I am logged in as "user" and run the following commands. % cp /bin/sh /tmp/backdoor % chmod a+rwxs /tmp/backdoor % chown root /tmp/backdoor Explanation: I make a copy of the shell, make it suid, then make root own it. I now have a way to become root without knowning the password. I guess chown could be modified to removed the suid bit with chown'ing... -- AJ Musgrove ---------------------------------------------------------------- My opinions do not necessarily reflect those of my employer, or anyone else for that matter. O- ----------------------------------------------------------------