--- Begin Message ---
Subject: |
[bugs #11638] chmod and setgid bit |
Date: |
Wed, 19 Jan 2005 17:49:37 +0000 |
This is an automated notification sent by Savannah.
It relates to:
bugs #11638, project GNU Core Utilities
==============================================================================
OVERVIEW of bugs #11638:
==============================================================================
URL:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=11638>
Summary: chmod and setgid bit
Project: GNU Core Utilities
Submitted by: None
Submitted on: mer 19.01.2005 à 12:49
Category: None
Severity: 5 - Average
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
_______________________________________________________
Let's say you have a directory like this :
drwxr-s--- 5 user www-data 4,0K 2005-01-19 00:19 html/
It's useful when you want an user to be the owner of its web repository, give
access to web files to the webserver without giving access to world.
The problem is that when you try to chmod g+w or o+rx html/ for example, the
directory loses its setgid bit if "user" is not in "www-data" group.
Then either you disallow him the right to chmod with a RBAC but then he'll no
more be able to give write access to the webserver to its website, or you put
"user" in the www-data group, thus granting him access to other users' web
files.... Both are no solutions at all...
I understand the reasons why you could have decided to remove the
setgid/setuid bit from an executable when it's changed mode or owner, since
this could grant privileges to users not allowed to have them.
But the setgid bit on directories has a very specific behavior. It only
ensures files or directories created in the setgid dir will have the same
group (+setgid bit for directories) as their parent. Very useful for HTML
dirs as I explained before. But not if it's removed on chmod ! I see no harm
letting the setgid bit active whenever anyone changes modes for the
directory.
What do you think about it ? :)
==============================================================================
This item URL is:
<http://savannah.gnu.org/bugs/?func=detailitem&item_id=11638>
_______________________________________________
Message posté via/par Savannah
http://savannah.gnu.org/
--- End Message ---