Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84 exptools; site laidbak.UUCP Path: utzoo!watmath!clyde!burl!ulysses!mhuxr!mhuxn!ihnp4!laidbak!mdb From: mdb@laidbak.UUCP (Mark Brukhartz) Newsgroups: net.bugs.uucp,net.news.adm Subject: Re: mkdir() under suid Message-ID: <714@laidbak.UUCP> Date: Sat, 8-Feb-86 15:30:17 EST Article-I.D.: laidbak.714 Posted: Sat Feb 8 15:30:17 1986 Date-Received: Tue, 11-Feb-86 05:27:47 EST References: <495@kepler.UUCP> Organization: LAI Chicago Lines: 55 Xref: watmath net.bugs.uucp:691 net.news.adm:507 > [...] > Problem: Directories created by programs running under a user id > different from the real user id (suid bit set) are owned > by the real user and not the effective user. > > When honey danber uucico creates a machine directory, its > ownership may be the person sending mail to that machine, > and uux, running as user "uucp", will not be able to create > command and data files. > [...] > But the news documentation hints at another solution -- building > your own version of mkdir(). Did you do this? Will you share it > with me? System V allows one to give files and directories away with chown(). All known versions of UNIX let setuid processes give up their special permissions. Together, these make it possible for a setuid command to make a protected directory within a protected parent. Briefly: o Temporarily chmod() the parent directory to 777. o Fork and execute mkdir, which will make the new directory and leave it owned by the user of the setuid command (...as opposed to the *owner* of the command, which is what we want). o Chmod() the parent directory back to its original (protected) permissions. o Fork another child. Have it use setuid(getuid()) to relinquish setuid permissions, chown() to give the directory to the setuid ID, and exit. This requires that the setuid command actually *own* the parent directory, rather than merely having write access to it. Ownership is neccessary for chmod(). There is a window in which the parent directory is mode 777, but it is very small. Either of two features from the 4.2BSD kernel would avoid these problems: o Allowing one to set the real uid from the effective one with setuid(geteuid()). o A mkdir() system call, which avoids all of the real vs. effective uid problems in the first place. The former is a sufficient solution, and one which I would like to see in System V. The latter, while useful, does not *really* have to be in the kernel; hence, it does not belong there. Mark Brukhartz ihnp4!laidbak!mdb