chown removes setuid bit: bug or feature?

Question

Steps to reproduce:

germar@host:~$ cd /tmp/
germar@host:/tmp$ touch test && chmod u+s test && ls -la test
-rwSr--r-- 1 germar germar 0 Nov  2 20:11 test
germar@host:/tmp$ chown germar:germar test && ls -la test
-rw-r--r-- 1 germar germar 0 Nov  2 20:11 test

Tested with Debian squeeze and Ubuntu 12.04

Does that on Fedora 17 too. – BenjiWiebe Nov 02 '12 at 19:45 — BenjiWiebe, Nov 02 '12 at 19:45
[feature](http://unix.stackexchange.com/q/137086/52934) – mikeserv Aug 05 '14 at 02:05 — mikeserv, Aug 05 '14 at 02:05

score 19 · Accepted Answer · answered Nov 02 '12 at 20:39

Not a bug according to chown documentation:

$ info coreutils 'chown invocation'

   The `chown' command sometimes clears the set-user-ID or set-group-ID
permission bits.  This behavior depends on the policy and functionality
of the underlying `chown' system call, which may make system-dependent
file mode modifications outside the control of the `chown' command.
For example, the `chown' command might not affect those bits when
invoked by a user with appropriate privileges, or when the bits signify
some function other than executable permission (e.g., mandatory
locking).  When in doubt, check the underlying system behavior.

Thanks jlliagre. I didn't know `info coreutils` before. I only read man-page and searched the web. — Germar, Nov 02 '12 at 20:59

score 12 · Answer 2 · answered Nov 04 '12 at 00:23

12

This is by design, and it's standard behavior. Quoting the POSIX standard:

Unless chown is invoked by a process with appropriate privileges, the set-user-ID and set-group-ID bits of a regular file shall be cleared upon successful completion; the set-user-ID and set-group-ID bits of other file types may be cleared.

(s is setuid (or setgid in the group column), not sticky, by the way.)

This behavior follows that of the underlying system call (except that on some systems, the setxid bits are only cleared for executable files).

The reason for removing the setuid bit is that changing the owner also changes which user will be the process's effective user ID. In particular, on systems where a user can give away a file, cp /bin/sh foo; chmod u+s foo; chown joe foo would create a setuid executable belonging to joe, a giant security hole.

answered Nov 04 '12 at 00:23

Gilles 'SO- stop being evil'

807,993
194
1,674
2,175

Upvoting for the nitpick! SUID/SGID are not the "sticky" bit! – Jim Dennis Jul 13 '17 at 19:29
Great point about the security implications of preserving SUID/SGID. I was bothered by the behavior until I read that sentence. I would add, however, I've never seen chown *not* clear the bits, even when running as root. I'm curious what "appropriate privileges" would imply. – vastlysuperiorman Aug 17 '17 at 04:52
1

@vastlysuperiorman On a classical Unix platform, “appropriate privileges” means user ID 0. But POSIX allows systems to define their own security policies. For example, for many operations on Linux, “appropriate privileges” is implemented as a capability (which only root gets by default). In this particular case, does suppress setxid bits on chown regardless of privileges, like most if not all Unix variants. But a POSIX layer on Windows might work differently. – Gilles 'SO- stop being evil' Aug 17 '17 at 08:45

chown removes setuid bit: bug or feature?

2 Answers2

Linked