possibly security bug in mv ?

[Nelson Benítez]

Hi, on man page of mv it is said:

"When both source and destination are on the same filesystem,  they  are
the same file (just the name is changed; owner, mode, timestamps remain
unchanged).  When they are on different filesystems, the source file is
copied  and then deleted.  mv will copy modification time, access time,
user and group ID, and mode if possible. When copying user and/or group
ID fails, the setuid and setgid bits are cleared in the copy."

The last sentence (clearing setuid,setgid bits) doesn't seem to be true
in the following testcase:


address@hidden ~ $ mkdir temp
address@hidden ~ $ su
Password:
gnelson nelson # mkdir /mnt/temp
gnelson nelson # mount -o bind /home/nelson/temp /mnt/temp
gnelson nelson # echo "hola" > hola.txt
gnelson nelson # chown pedro:users hola.txt
gnelson nelson # chmod u+s hola.txt
gnelson nelson # exit
exit
address@hidden ~ $ ls -l hola.txt
-rwSr--r--  1 pedro users 5 ago 22 11:05 hola.txt
address@hidden ~ $ whoami
nelson
address@hidden ~ $ mv hola.txt /mnt/temp
address@hidden ~ $ ls -l /mnt/temp/hola.txt
-rwSr--r--  1 nelson users 5 ago 22 11:05 /mnt/temp/hola.txt
address@hidden ~ $

- The mount -o bind is to simulate different filesystem/partitions so
'mv' fallbacks to copy instead of moving.

- Substitute 'nelson' for your normal user and 'pedro' for other normal
user of your system.

 As you can see 'mv' could not copy the uid of file /mnt/temp/hola.txt
that now is owned by 'nelson' instead of 'pedro', that is correct
because it's a copy operation but 'mv' has not cleared the setuid bit as
it's mentioned in the man page and so this could lead to a security
bug ?. 


PD: I have mv 5.2.1 on gentoo linux x86 with ext3 filesystem.