[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chown clears suid bit!

From: Brian K. White
Subject: Re: chown clears suid bit!
Date: Thu, 13 Apr 2006 15:37:40 -0400

----- Original Message ----- From: "Bob Proulx" <address@hidden>
To: "Brian K. White" <address@hidden>
Cc: <address@hidden>
Sent: Thursday, April 13, 2006 11:42 AM
Subject: Re: chown clears suid bit!

Brian K. White wrote:
Your explanations do make sense but it sure was a surprise is all. I wasn't bs'ing when I said the same script has been unchanged for years, and worked
on several platforms, including linux, for years.

I think if you took your new system running the new linux 2.6 kernel
and booted an older linux 2.4 kernel on it you would find that the
behavior follows the kernel version.  Your previous systems were
probably linux 2.4 kernels.  This is probably the first time your
script has run on the new linux 2.6 kernel.

Also there's the fact that 99% of the time the chown commands in this
particular script end up being no-ops because the script is intended to
correct errors, and normally all the files would already be what the script
wants, and maybe previously in the case of a no-op it really did (what I
think) the more sensible thing, nothing.

I use the following technique in my shell scripts that do similar
things.  Hope you find it interesting.

   mode=$(ls -dlnL "$i" | awk '{print$1}')
   case $mode in
     ?r??r??r??*) : file permissions $mode is okay ;;
     *) chmod a+r "$i" ;;

   ownergroup=$(ls -dlnL "$i" | awk '{print$3$4}')
   case $ownergroup in
     00) : file ownership $ownergroup is okay ;;
     *) chown root:root "$i" ;;

I don't change anything unless it needs to be changed.  This way the
file ctime is not continuously being updated.  Admins looking at what
changed today on the system won't find things that did not actually
change today.  Although the matching technique is not completely
portable, some systems will print different information there, it
seems to be good enough in practice.

Also the use of intermediate variables here provide convenient tracing
with 'sh -x script' so that the -x tracing output shows me what is
happening relatively easily when developing and debugging.


Thats a great idea and I think I will incorporate it. Thanks.
There are some cases where it'll be hard to do though. This script for example does a couple sweeping chown -R / chmod -R at the top of a tree of around 30,000 files.
Replacing the -R with any kind of loop might make it take too long to run.
There are some other large sweeping passes that are a little more selective that are based on find |xargs

I'll try it though, maybe it'll be fast as long as I avoid and screen output and make a mychmod() function that does a "while read a b c d e f ... do ... done", and I can pipe ls -lR into that so I only run ls once, and the while loop gets both perms and filename in one shot and can simply compare values with no need to execute any processes inside the loop 99% of the time. That should be good enough. The same new way of ls | mychown() will work the same way to replace both the chown -R and the find |xargs chown too. It'll be harder to deal with bad filenames (spaces & other speacial characters) than with -R of course but not terribly I think.

Food for thought, thanks.
Brian K. White  --  address@hidden  --  http://www.aljex.com/bkw/
filePro  BBx    Linux  SCO  FreeBSD    #callahans  Satriani  Filk!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]