Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 Jul 1996 04:31:02 -0500
From:      zach@blizzard.gaffaneys.com
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/1377: Possible security hole in mv(1)
Message-ID:  <199607090931.EAA05222@freebsd.gaffaneys.com>
Resent-Message-ID: <199607090940.CAA23518@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         1377
>Category:       bin
>Synopsis:       mv(1) retains the setuid bit when it is unable to preserve the uid.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul  9 02:40:01 PDT 1996
>Last-Modified:
>Originator:     Zach Heilig
>Organization:
Zach Heilig (zach@blizzard.gaffaneys.com)
>Release:        FreeBSD 2.1.0-RELEASE i386
>Environment:
FreeBSD 2.1.0-RELEASE
	

>Description:

	
mv(1) will retain the setuid bit on a file when it is unable to
preserve the uid.  This would, for example, allow one user to create a
setuid executable, and if they should somehow convince a different
user to mv(1) it to a different filesystem, they have access to that
users account.  mv(1) should not retain either the setuid or setgid
bits when it is unable to preserve both the uid and the gid of the
file.  This would bring it in line with cp(1) which mv(1) is
theoretically supposed to be using.  I would track it down, but I
don't have the mv(1) source online.

>How-To-Repeat:

	
Script started on Tue Jul  9 03:50:45 1996
$ whoami
user1
$ pwd
/usr/home/user1
$ mkdir foo
$ chmod 777 foo
$ cd foo
$ touch bar
$ chmod 6755 bar
$ ls -l bar
-rwsr-sr-x  1 user1  user  0 Jul  9 03:51 bar
$ exit
Script done on Tue Jul  9 03:51:14 1996

Script started on Tue Jul  9 03:51:24 1996
$ whoami
user2
$ cd /tmp
$ mv ~user1/foo/bar .
mv: ./bar: set owner/group: Operation not permitted
mv: ./bar: set mode: Operation not permitted
$ ls -l bar
-rwsr-xr-x  1 user2  wheel  0 Jul  9 03:51 bar
$ exit
Script done on Tue Jul  9 03:51:39 1996

>Fix:
	
	
>Audit-Trail:
>Unformatted:
sw-bug

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607090931.EAA05222>