From: utzoo!decvax!cca!gwyn@Brl@sri-unix
Newsgroups: net.unix-wizards
Title: chgrp loophole
Article-I.D.: sri-unix.2862
Posted: Mon Aug 23 20:27:38 1982
Received: Tue Aug 24 16:52:29 1982

From:     Doug Gwyn 
Date:     14 Aug 82 1:00:13-EDT (Sat)
The scenario
$ chgrp sys myshell
$ chmod 2750 myshell
that lets one set-GID to a group he's not a member of
could be nullified if "chmod" wouldn't let one set the set-GID
bit on a file if the group differs from one's current effective GID.

This kind of protection loophole results from having two distinct
protection levels, user and group.  One way to avoid trouble would
be to outlaw groups altogether, but too many less-than-superuser
privileged utilities would have to be changed in this case.  Better
to carefully PROVE the security of any set of rules one has come
up with for his system.  I believe this can be done for UNIX in
one of its variations; has anybody done this?