[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [anonymous] [bugs #11638] chmod and setgid bit
|
From: |
Andreas Schwab |
|
Subject: |
Re: [anonymous] [bugs #11638] chmod and setgid bit |
|
Date: |
Fri, 21 Jan 2005 01:10:38 +0100 |
|
User-agent: |
Gnus/5.110002 (No Gnus v0.2) Emacs/21.3.50 (gnu/linux) |
Jim Meyering <address@hidden> writes:
> I understand the reasons why you could have decided to remove the
> setgid/setuid bit from an executable when it's changed mode or owner, since
> this could grant privileges to users not allowed to have them.
> But the setgid bit on directories has a very specific behavior. It only
> ensures files or directories created in the setgid dir will have the same
> group (+setgid bit for directories) as their parent. Very useful for HTML
> dirs as I explained before. But not if it's removed on chmod ! I see no harm
> letting the setgid bit active whenever anyone changes modes for the
> directory.
>
> What do you think about it ? :)
This is enforced by the chmod syscall. There is no way to readd the
setgid bit unless you are member of the group or the superuser. POSIX
allows this as an implementation-defined restriction. All systems that
implement the SYSV-style setgid behaviour on directories will also have
this restriction for security reasons.
Andreas.
--
Andreas Schwab, SuSE Labs, address@hidden
SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."