From: Jonathan de Boyne Pollard on 1 May 2010 00:07 > >> >> Here's the definition from POSIX: >> >>> 3.20 Appropriate Privileges >>> >>> An implementation-defined means of associating privileges with a >>> process with regard to the function calls, function call options, >>> and the commands that need special privileges. There may be zero or >>> more such means. These means (or lack thereof) are described in the >>> conformance document. >>> >> There's no requirement for privileges to be all-or-nothing as in the >> old "superuser" privilege model. For example, a process could have >> appropriate privilege to chown() files without having appropriate >> privilege for other things such as killing processes. >> > So in the hypothetical case at hand, where the file owner is allowed > to change ownership of the file, would a "chown" process started by > that user be classified as "having appropriate privileges" or not? > There are two common models: * The "superuser" model, mentioned by M. Clare and with which we are all (I hope) familiar. * The "multiple r�le accounts" model. Think, basically, of how Windows NT works. There's no superuser. Individual accounts have have special flags assigned to them that mark them as capable of specific, privileged, operations, such as giving away ownership of files/directories, taking ownership of files/directories, bypassing lack of 'x' permissions on directories, modifying any part of the password database, creating new user tokens, and so forth. There are, of course, several less common models, such as capabilities and so forth. Linux, for example, looks like a "superuser" model but in many ways nowadays is more like a "multiple r�le accounts" model, albeit not completely. chown is in fact a case in point. One of the things that you're missing is that there are two different "appropriate privileges", here. The standard for chown has allowed for several implementation choices: * The system uses the "superuser" model and only the superuser may change ownerships of anything, and of course will always be able to preserve set-ID flags. * The system uses the "superuser" model but is (in z/OS UNIX terminology) a CHOWN.UNRESTRICTED system, where anybody can chown their own files/directories willy-nilly. The "appropriate privilege" for being able to preserve set-ID flags across chown is usually still reserved to the superuser alone, to close the obvious privilege escalation loophole. * The system uses the "multiple r�le accounts" model, and there are two privileges that accounts can possess: ability to chown someone else's files/directories, and ability to preserve set-ID flags across chown. Who can do what, and in what combinations, depends from which user accounts have which privileges, the policy for which is set by humans, not by the system itself. On Linux, the "appropriate privilege" for being able to change ownerships of someone else's files/directories is a combination of CAP_CHOWN and "unrestricted_chown" mount options; however the "appropriate privilege" for being able to preserve set-ID flags is reserved to the superuser alone and is not an account-possessable privilege. So Linux has one foot in both camps, here. Solaris is even more like a "multiple r�le accounts" model. The PRIV_FILE_SETID privilege is the ability to preserve set-ID flags across chown, as long as one is not chowning to UID 0 when one isn't UID 0. The PRIV_FILE_CHOWN privilege is the ability to chown someone else's files/directories, as long as that someone else, or the target UID, is not UID 0. The PRIV_FILE_CHOWN_SELF privilege is the ability to give away one's own ownership of a file/directory to someone else. And there's a global configuration setting, rstchown, read at IPL time, that enables PRIV_FILE_CHOWN_SELF for everyone if set to 0. Interestingly, on Windows NT, both "appropriate privileges" are combined into one: SeRestorePrivilege. This allows one both to write the owner of a file/directory (i.e. change it to whatever owner one likes) and to write the discretionary ACL and attributes of a file/directory (which Cygwin, Interix, MK, and so forth will map to the POSIX set-ID flags).
From: pk on 1 May 2010 08:23 Jonathan de Boyne Pollard wrote: >> So in the hypothetical case at hand, where the file owner is allowed >> to change ownership of the file, would a "chown" process started by >> that user be classified as "having appropriate privileges" or not? >> > There are two common models: > >[snip good stuff] Ok, I guess the "appropriate privileges to preserve the SxID bits" (as opposed to "appropriate privileges to call chown()") is what I was missing. Thanks all for the explanations.
|
Pages: 1 Prev: ZFS. split a mirror, and remount "2nd" half Next: Community Ingres and OpenSolaris |