From kube@japo.fi  Tue Sep  3 05:30:42 1996
Received: from aapo.japo.fi (kube@aapo.japo.fi [194.136.70.70]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id FAA24826 for <best-of-security@suburbia.net>; Tue, 3 Sep 1996 05:30:31 +1000
Received: from localhost (kube@localhost) by aapo.japo.fi (8.7.5/8.7.3) with SMTP id WAA22513; Mon, 2 Sep 1996 22:29:04 +0300 (EET DST)
Date: Mon, 2 Sep 1996 22:29:03 +0300 (EET DST)
From: Hannu Laurila <Hannu.Laurila@japo.fi>
To: Michael Douglass <mikedoug@texas.net>
cc: "Justin M. Collins" <jcollins@firestorm.servtech.com>,
        Martin Ibert <mib@ppe.bb-data.de>, best-of-security@suburbia.net
Subject: Re: BoS: More on the UnixWare problem
In-Reply-To: <Pine.GSO.3.94.960902130901.19264c-100000@staff1.texas.net>
Message-ID: <Pine.UW2.3.95.960902221021.22138B-100000@aapo.japo.fi>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Mon, 2 Sep 1996, Michael Douglass wrote:

> No, the bug is in chgrp.  chgrp should not allow you to change a file's
> group to a group which you are not in.  In other words, if you are not
> in the kmem group, you should not be able to chgrp a file to that group.

Allowing changing owner/group of file to one you do not belong to is more
a feature than a bug. It is an old AT&T tradition and in my opinion it's
not a very admirable one. To hear more about this kind of bugs would not
be a big surprise.

Security-conscious people might want to replace this behaviour with
something better. In Unixware 2, for example, there is a kernel tunable
for adjusting the behaviour. Here is a quote from Unixware FAQ:

Subject: T41) How can I revert to the BSD form of (restricted) chown?=20


By default, chown() system call comes with the old AT&T behavior and
allows a user to change the ownership of a file he owns to that of any=20
other user on the system.

How can I modify the behavior to the BSD-form (only root can change=20
the ownership of a file)?

The BSD way is the FIPS 151-2 and XPG4 way, and indeed there is a tuneable
called RSTCHOWN. For strict conformance (and when testing for
POSIX FIPS 151-2, XPG etc) this should be set to one.

/etc/conf/bin/idtune -g RSTCHOWN  will return its value.

To set it do

     # /etc/conf/bin/idtune RSTCHOWN 1
     # /etc/conf/bin/idbuild

and then reboot.


---
Hannu Laurila - kube@japo.fi  *  Kauppakatu 10, FIN-62900 ALAJ=C4RVI
Alaj=E4rven Puhelinosuuskunta   *  Tel +358 66 557 2209 - Fax +358 66 557 2=
788