From: utzoo!decvax!cca!decot@Mitre@sri-unix
Newsgroups: net.unix-wizards
Title: Re: Chown: right or privilege
Article-I.D.: sri-unix.2821
Posted: Sat Aug 21 06:09:29 1982
Received: Sun Aug 22 02:27:22 1982

From: Dave Decot 
Date: 11 Aug 1982  9:27:40 EDT (Wednesday)
Perhaps users should be able to change the ownership of their own files, but
some security violations ARE possible unless certain restrictions are placed
on the files `chowned'.  There are also situations where this facility
should not be present at all.

Requests to chown files with the 'set-uid' or 'set-gid' bits set should
not be honored, or if they are, these bits must be cleared by the chown
program.  Otherwise, any user might create a shell file or other p|er.  Buthat does 'bad' things, set these bits, chown the file to root and have his
way.

The ability to change the ownership of a directory must also be carefully
restricted to avoid any number of unpleasant situations.  For example, consider
this sequence:

	% cd
	% mkdir mutter
	% cd mutter
	% cat >foofile
	asdfjkl asdfjkl
	^D
	% chown her foofile
	% cd ..
	% chown her mutter

If the user performing this sequence has no write permission on mutter, he has
(perhaps unwittingly?) created in his tree a directory he cannot remove.


Finally, this mechanism should be severely restricted or not available on
systems where disk space is at a premium and users are accounted for the
number of blocks they use.  A dastardly user might create hundreds of files
owned by a user who doesn't know they exist (and may have no way of finding
out that they do!).

					-Dave Decot