[3592] in bugtraq
HP-UX setprivgrp()
daemon@ATHENA.MIT.EDU (Eduardo E. Silva)
Thu Nov 7 15:54:01 1996
Date: Thu, 7 Nov 1996 11:34:20 -0800
Reply-To: "Eduardo E. Silva" <esilva@netcom.com>
From: "Eduardo E. Silva" <esilva@netcom.com>
X-To: BUGTRAQ@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
I just ran into this while doing routine security checks on HP-UX B.10.01
from man 2 chown on hp-ux 10.01:
"...Only processes with an effective user ID equal to the file owner or a
user having appropriate privileges can change the ownership of a file.
If privilege groups are supported, the owner of a file can change the
ownership only as a member of a privilege group allowing CHOWN, as set
up by the setprivgrp command (see setprivgrp(1M)). All users get the
CHOWN privilege by default..."
$ date
Thu Nov 7 11:17:24 PST 1996
$ getprivgrp
global privileges: CHOWN
$ pwd
/home/esilva
$ id
uid=112(esilva) gid=999(tmp)
$ mkdir tmp
$ chown esilva tmp
$ chmod 6777 tmp
$ ls -ldi tmp
45696 drwsrwsrwx 2 esilva tmp 24 Nov 7 11:12 tmp
$ chown root tmp
$ ls -ldi tmp
45696 drwsrwsrwx 2 root tmp 24 Nov 7 11:12 tmp
$ cd tmp
$ touch hello
$ ls -ldi hello
45697 -rw-rw-rw- 1 esilva tmp 0 Nov 7 11:12 hello
$ chmod 6777 hello
$ chown root hello
$ ls -ldi hello
45697 -rwxrwxrwx 1 root tmp 0 Nov 7 11:12 hello
Maybe a race condition can be won between the times the setuid bits
are changed by chown().
-Ed
--
_
/\o/\
Thanks! / <_> \
/^^/ \^^\
-Ed /___\
