Xref: utzoo comp.unix.questions:6271 comp.unix.wizards:7392 Path: utzoo!utgpu!water!watmath!clyde!att-cb!att-ih!chinet!les From: les@chinet.UUCP (Leslie Mikesell) Newsgroups: comp.unix.questions,comp.unix.wizards Subject: Re: mkdir and access(2) Keywords: access(2), permissions, setuid/setgid Message-ID: <4190@chinet.UUCP> Date: 27 Mar 88 07:12:37 GMT References: <59@vsi.UUCP> <1056@stratus.UUCP> <70@vsi.UUCP> <305@wsccs.UUCP> <368@wsccs.UUCP> <10811@mimsy.UUCP> Reply-To: les@chinet.UUCP (Leslie Mikesell) Distribution: comp Organization: Chinet - Public Access Unix Lines: 30 In article <10811@mimsy.UUCP> chris@mimsy.UUCP (Chris Torek) writes: >>UNIX implimentations. Your "mkdir" command would have to be SUID root, >>but still be able to tell who actually ran it. > >This is precisely the problem. When a setuid program is running >and needs to make a new directory, it must (on these systems) run >the `mkdir' program. That setuid program's permissions are in >fact those of the EFFECTIVE user, not the real user; but mkdir >will check only the permissions of the real user. Often this is >not what is desired. Example: > Real-life example: I have a subdirectory tree that I need to duplicate on another machine via uucp. To save transmission time, I like to use: find . -print |cpio -oc |compress | uux - "remote!unpackit" where remote is the machine name and unpackit is a shell script that goes to the right place and runs zcat|cpio -imd on its input. Now, one would think that these files and directories would be owned by uucp since uuxqt is setuid to uucp. However, if the particular run of uucico that delivered the batch was started by a user on the remote machine, guess who owns the newly created directories... Cpio uses system(mkdir) which gives the directory to the real user which happens to be the one who originally started the process (even in SysVr3 where it doesn't have to!). Even if the first run operates as uucp (due to our system logging in to deliver the file) later attempts may fail due to incorrect permissions when creating a new dirctory. -Les ...ihnp4!chinet!les