Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!rutgers!princeton!udel!info-minix
From: ESC1332@ESOC.bitnet (K.Keyte)
Newsgroups: comp.os.minix
Subject: SETUID problems with mkdir & rmdir
Message-ID: <8707051653.a024161@Louie.UDEL.EDU>
Date: Sun, 5-Jul-87 19:00:39 EDT
Article-I.D.: Louie.8707051653.a024161
Posted: Sun Jul  5 19:00:39 1987
Date-Received: Sun, 5-Jul-87 22:49:12 EDT
Sender: usenet@udel.EDU
Distribution: world
Lines: 31
To:           INFO-MINIX@UDEL.EDU



Of course everyone noticed, after a short time, that the 'cp' command
doesn't maintain the SETUID bit. This is clearly for security. Setting the
bit with chmod is no problem. There is another problem, however, with the
mkdir and rmdir. They are not normally SETUID (at least, not on UNIX). The
SETUID bit is needed on MINIX because they call the mknod system service
which is reserved for super-user only. To check that the user actually has
the required access to the parent directory, mkdir performs an 'access' call.
This is almost entirely useless because the setting of the SETUID means that
the caller automatically gets a protection mode permission of 07 (meaning that
all access modes are granted). So, the overall effect is that mkdir and rmdir
can be used by anyone to create and remove directories anywhere! This isn't
right, and there are a number of possibilities.

Has anyone tried anything, or got any ideas? I made an initial attempt by
removing the effective super-user uid before the access call, but of course
this means that real AND effective uids are then non super-user, i.e. you
can't re-enable the super-user uid with setuid, and the subsequent mknod
call fails! The access call makes a further call to 'forbidden' with a flag
set to indicate that it should check the REAL uid and not the EFFECTIVE uid.
This is ignored, since the file system 'init' program automatically sets the
super-user flag for any caller having an effective uid of the super-user.
It seems that the solution might be to steal access and modify it a bit,
and use the new version inside mkdir and rmdir. Please give me your comments.
Perhaps I'm overlooking a more obvious solution, but if I'm not I'm quite
prepared to make the changes and post them out.

PS: Are we actually allowed to mail Minix electronically (not the original
    source of course, but changes such as the one I've outlined above)?

Karl Keyte