• Part I
  • sun managers I
• Part D
  • sun managers D
• Part L
  • sun managers L
• Part H
  • sun managers H
• Part B
  • sun managers B
• Part E
  • sun managers E
• Part J
  • sun managers J
• Part F
  • sun managers F
• Part C
  • sun managers C
• Part K
  • sun managers K

SITEMAP

SUMMARY: changing chown command

I asked

> I've got a user asking me to disable _POSIX_CHOWN_RESTRICTED (add
> "set rstchown = 0" to /etc/system) on a Sun Solaris box. My understanding
> is that this changes chown's behavior a bit by letting any user chown a
> file that they own to someone else, stripping any suid bits in the process.
>
> My gut feeling is "no way". But I can't actually envision a case where
> this would really cause a problem on a shared development system. We do
> not use quotas, so there is no concern about a user deviously filling up
> the quota of someone he or she does not like by chowning a bunch of large
> files to them. Setuid is stripped, so I don't think that will be a
> concern. I can think of one obnoxious-but-not-security-critical behavior--
> Alice storing all her illicitly downloaded music on the server and then
> chown'ing them to Bob so it looks like they aren't hers.
>
> So my question is: can anyone envision a situation where this would create
> a real problem?

The answer

Don't do it unless you like the inside of a courtroom. With that change you
lose your audit trail if a user hides his or her illegal files by putting
them in another user's area owned by that user. If you need this
functionality, use something like sudo to have an audit trail.

Thanks to
<David.Harrington.ctr at dla.mil>
Dan Lowe <dan at tangledhelix.com>
Chris Ruhnke <ruhnke at us.ibm.com>
Darren Dunham <ddunham at taos.com>
Hicheal Morton <mh1272 at gmail.com>
Karyn Williams <karyn at calarts.edu>
Scott Francis <darkuncle at gmail.com>
"Paveza, Gary" <gary.paveza at aig.com>
Rich Teer <rich.teer at rite-group.com>
Johan Hartzenberg <jhartzen at csc.com>
Andrew Hall <halla3 at corp.earthlink.net>
Chris Hoogendyk <hoogendyk at bio.umass.edu>
<Deborah.Santomauro at f22ctf.edwards.af.mil>
Matthew Stier <Matthew.Stier at us.fujitsu.com>

+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard at tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+

Comments

"sun managers H [Part H]" Sponsored Links

• "sun managers H [Part H]" New Questiones!

  • SUMMARY: Changing a users UID
  • SUMMARY: centralizing account mgmt? is it worth doing?
  • SUMMARY: ce0 Gig NIC issue
  • SUMMARY: CDE Screenlock Not working after Solaris 9 Upgrade
  • SUMMARY: CDE login hangs on Solaris 10 hosts
  • SUMMARY: Carving up a slice on existing production disk
  • SUMMARY: Cant read/mount DVDROM
  • SUMMARY: can't load module "rdriver"
  • Summary: Can't kill process
  • SUMMARY: Can't ftp in as root
  • SUMMARY: can't do "sudo -s" on hardened box
  • SUMMARY: can't do "sudo -s" on hardened box
  • SUMMARY: Can't delete folders.....
  • SUMMARY: Can't "get" a file after ftp into host
  • SUMMARY: cannot relay email messages
  • SUMMARY: cannot create /etc/foo: Operation not applicable
  • SUMMARY: cannot boot from dvd on Ultra-60
  • Summary: can we trace a listening udp/tcp ports to the underlying applications/program
  • SUMMARY: Can Solaris 9 patches be installed on a production system (a Oracle server) without tak
  • SUMMARY: can an ultra5 handle an internal drive greater than 137GB?

Copyright © 2008 thatsjava.com • All rights reserved • CMS Theme by WebmasterFund.com - 0.156