Bug #1408
suid program creates file with owner gid=0 instead of "nobody"
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2011-08-24
Due date:
% Done:
0%
Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
Description
here is the setup
server:
root@gate:~# uname -a SunOS gate 5.11 build17.08 i86pc i386 i86pc Solaris root@gate:~# share - /testpool/suid rw "" root@gate:~# ls -lnad /testpool/suid drwxrwxrwx 2 0 0 4 2011-08-24 17:26 /testpool/suid
on the client side i mount this share with default options and copy there the simple suid program (source attached).
When the file is created with "touch" command it gets the owner and group "nobody"
When the file is created with suid program it get the owner "nobody" and group "root"
Here is the log:
root@oi2:/mnt# mount -p | grep /mnt mnttab - /etc/mnttab mntfs - no 10.3.52.237:/testpool/suid - /mnt nfs - no rw,xattr root@oi2:/mnt# pwd /mnt root@oi2:/mnt# id uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon) root@oi2:/mnt# root@oi2:/mnt# touch test1 root@oi2:/mnt# root@oi2:/mnt# ls -lna total 13 drwxrwxrwx 2 0 0 4 2011-08-24 17:44 . drwxr-xr-x 25 0 0 26 2011-08-19 12:49 .. -rwsr-xr-x 1 60001 60001 8660 2011-08-24 17:23 suid -rw-r--r-- 1 60001 60001 0 2011-08-24 17:44 test1 root@oi2:/mnt# root@oi2:/mnt# ./suid String was succesfully writen to rootfile root@oi2:/mnt# root@oi2:/mnt# ls -lna total 14 drwxrwxrwx 2 0 0 5 2011-08-24 17:44 . drwxr-xr-x 25 0 0 26 2011-08-19 12:49 .. -rw-r--r-- 1 60001 0 13 2011-08-24 17:44 rootfile -rwsr-xr-x 1 60001 60001 8660 2011-08-24 17:23 suid -rw-r--r-- 1 60001 60001 0 2011-08-24 17:44 test1 root@oi2:/mnt#
Isn't it a security issue?
Files