Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.internals
Subject: Re: non-superuser chown(2)s considered harmful
Message-ID: <3128:Dec1001:47:0490@kramden.acf.nyu.edu>
Date: 10 Dec 90 01:47:04 GMT
References: <18792@rpp386.cactus.org> <110075@convex.convex.com> <18796@rpp386.cactus.org>
Organization: IR
Lines: 17

In article <18796@rpp386.cactus.org> jfh@rpp386.cactus.org (John F Haugh II) writes:
> In article <110075@convex.convex.com> tchrist@convex.COM (Tom Christiansen) writes:
> >If you could switch a file's ownership between real and effective uid's,
> >this wouldn't be a problem.  Since a process can always cp a file, at
> >which time it will be owned by whichever ID was active at the time, I
> >don't see why that can't be allowed.
> Yes, and this is a much better solution - restrict chown() to be between
> the real and effective UIDs, rather that completely out the window.

Right. Now we just have to convince Berkeley.

> However, in a co-operative environment (such as commercial installations)
> there is quite a bit of file-sharing going on in a very ad hoc fashion.

I prefer the control you get from a setuid program.

---Dan