setuid/setgid files

Submit your RBAC policies or suggest policy improvements

setuid/setgid files

Postby Kyoshiro » Tue Jan 18, 2005 8:34 am

Whenever I have a setgid file, grsec disallows any chmod of this file if there's no 'm' access to the object. For example I do a chmod o+rx on :
drwxr-s--- 5 user www-data 4,0K 2005-01-17 21:10 html/
(restricted:G:/) denied chmod of /home/.../html by /bin/chmod[chmod:29321] ...
But chmod g-s is allowed and then I can do chmod o+rx for example.

Maybe it is related to the fact that chmod wants to remove the setgid mode when changing the mode of html ? Or is it standard behavior to deny chmod on setgid/setuid files when there's not the 'm' flag on that file ?

BTW, is there a way to disallow setgid bit removal ? Is it possible to add current and wanted modes in grsec logs when a chmod is denied ?
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm

Postby spender » Tue Jan 18, 2005 11:35 am

The reason is that when you do a chmod o+x on a file, you're getting the current permissions, modifying that to include o+x, and setting that entire permission on the file. So, if the file already has +s, you're setting it again when you chmod o+x. There are advantages to having it this way, say if you had some file:
rwsr-x--- buggysuidapp

Requiring m to chmod this file would keep someone from making it world-executable.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby Kyoshiro » Tue Jan 18, 2005 1:53 pm

That's what I though later ;). Thanks for the explanation.

My last question remain: is it possible to add current and wanted modes in grsec logs when a chmod is denied ? It'd be useful to see what the user wanted to do.
Kyoshiro
 
Posts: 20
Joined: Thu Aug 12, 2004 5:45 pm


Return to RBAC policy development