Re: suid binaries should not be writable by owner

To: Joey Hess <joeyh@debian.org>
Cc: debian-policy@lists.debian.org
Subject: Re: suid binaries should not be writable by owner
From: Brian May <bam@debian.org>
Date: 06 Feb 2001 14:35:55 +1100
Message-id: <[🔎] 84itmocwkk.fsf@snoopy.apana.org.au>
In-reply-to: Joey Hess's message of "Mon, 5 Feb 2001 19:27:17 -0800"
References: <[🔎] 20010205192407.L21552@kitenet.net> <[🔎] 20010205192717.M21552@kitenet.net>

>>>>> "Joey" == Joey Hess <joeyh@debian.org> writes:

    Joey> Argh, egg on face: linux lets the owner of a file modify it
    Joey> even if it is mode 444 and in a directory they do not
    Joey> own. Yuck! Is this standard unix semantics? It sucks.

The directory is irrelevant - you are not changing the directory, only
a file (technically the inode) within.

However, I am a bit surprised you can edit the file, normally you
would have to make it 644 first. Perhaps your editor or whatever
does this for you?

As an example:

[578] [snoopy:bam] /tmp/a >ls -l
total 0
-r--r--r--    1 bam      root            0 Feb  6 14:30 b
[579] [snoopy:bam] /tmp/a >echo aaa >> b
zsh: permission denied: b
[580] [snoopy:bam] /tmp/a >chmod 644 b
[581] [snoopy:bam] /tmp/a >echo aaa >> b


Where a has:

drwxr-xr-x    2 root     root         4096 Feb  6 14:30 ./

This is standard Unix semantics.


Sooo... your proposal might get a little gain in security, but not
much, since the owner of the file can just turn on write permission
anyway.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- suid binaries should not be writable by owner
  - From: Joey Hess <joeyh@debian.org>
- Re: suid binaries should not be writable by owner
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: suid binaries should not be writable by owner
Next by Date: Re: suid binaries should not be writable by owner
Previous by thread: Re: suid binaries should not be writable by owner
Next by thread: Re: suid binaries should not be writable by owner
Index(es):
- Date
- Thread