Re: Proposal: restrict link(2)

Richard B. Johnson (
Mon, 16 Dec 1996 15:37:21 -0500 (EST)

On Mon, 16 Dec 1996, Marek Michalkiewicz wrote:

> Theodore Y. Ts'o:
> > Someone in Devel can trivial give write access to Beta Report merely by
> > leaving a setgid devel program in their homedirectory.
> I don't see any good reasons why ordinary users should be allowed
> to set set[ug]id bits. Perhaps that should be disallowed (at least
> as an option)? Would it break any standards?
> Marek
I think that a program that is set 4755 (priv bits) has those
attributes ignored unless the file is owned by root or at least has
a group of "0". I'm not sure of the exact UID/GID, but I know that, as
a user with a UID of 100 and a GID of 100, I can set my executable file :

chmod 4755 foo

with foo.c containing setuid(0) ; setgid(0); system("bash");.....
and It does NOT spawn a root shell. However, if I change the program
ownership to root, something a normal user can't do, the program does
in fact create a root shell.

In other words, to make a SUID program actually execute as root, the
program must be owned by root AND have those bits set. Therefore, allowing
a normal user to change file attribute bits is not a security risk and,
in fact, makes chmod simpler. Note that chown doesn't allow the owner to
change a file ownership unless the new owner is in the same group. Therefore
a normal user can't set the attribute bits, then change the file owner
to root. In an early version of Sparc Unix (before SunOs), the owner of
a file could do just that. The result could have been exactly as expected,
a gigantic security hole. Any user can become root.

Dick Johnson
Richard B. Johnson
Project Engineer
Analogic Corporation
Voice : (508) 977-3000 ext. 3754
Fax : (508) 532-6097
Modem : (508) 977-6870
Ftp :
Email :,
Penguin : Linux version 2.1.15 on an i586 machine.
Warning : It's hard to remain at the trailing edge of technology.