[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chown clears suid bit!

From: Bob Proulx
Subject: Re: chown clears suid bit!
Date: Thu, 13 Apr 2006 09:42:26 -0600
User-agent: Mutt/1.5.9i

Brian K. White wrote:
> Your explanations do make sense but it sure was a surprise is all. I wasn't 
> bs'ing when I said the same script has been unchanged for years, and worked 
> on several platforms, including linux, for years.

I think if you took your new system running the new linux 2.6 kernel
and booted an older linux 2.4 kernel on it you would find that the
behavior follows the kernel version.  Your previous systems were
probably linux 2.4 kernels.  This is probably the first time your
script has run on the new linux 2.6 kernel.

> Also there's the fact that 99% of the time the chown commands in this 
> particular script end up being no-ops because the script is intended to 
> correct errors, and normally all the files would already be what the script 
> wants, and maybe previously in the case of a no-op it really did (what I 
> think) the more sensible thing, nothing.

I use the following technique in my shell scripts that do similar
things.  Hope you find it interesting.

    mode=$(ls -dlnL "$i" | awk '{print$1}')
    case $mode in
      ?r??r??r??*) : file permissions $mode is okay ;;
      *) chmod a+r "$i" ;;

    ownergroup=$(ls -dlnL "$i" | awk '{print$3$4}')
    case $ownergroup in
      00) : file ownership $ownergroup is okay ;;
      *) chown root:root "$i" ;;

I don't change anything unless it needs to be changed.  This way the
file ctime is not continuously being updated.  Admins looking at what
changed today on the system won't find things that did not actually
change today.  Although the matching technique is not completely
portable, some systems will print different information there, it
seems to be good enough in practice.

Also the use of intermediate variables here provide convenient tracing
with 'sh -x script' so that the -x tracing output shows me what is
happening relatively easily when developing and debugging.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]