Re: set group id on directories

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Thu, 2 Mar 1995 11:55:33 -0500

> I'd like to know if a sgid bit on a directory represents a security
> risk, given the fact that the directory is not world or group
> writable.

Depends on your system.

> On my system, whereas the manual states that this bit is ignored on
> directories, a file created on such a directory is owned by the same
> group that posses the dir, and any child directory has the same sgid
> bit, by default.

Sounds as though (a) your man page lies and (b) you've got SunOS-style
directory setgid bits[%], where the sgid bit on a directory changes the
group ID semantics of stuff created in that directory.

[%] I first saw them under SunOS, so I think of them as a SunOS
    feature.  I don't know who actually dreamed them up.

Traditionally, under BSD, when something is created in a directory, its
group ID is set to the group ID of that directory.  Under SysV, its
group ID is set to the principal group ID of the creating process.
SunOS merged the two, under the control of something otherwise
meaningless: the setgid bit on the directory.  If this bit is clear,
you get SysV semantics; if set, BSD.  And of course when creating a
directory, it inherits the state of its setgid bit from its parent.

So what does this have to do with security bugs?  Perhaps not much; it
depends on how much you depend on either set of group ID semantics.  (I
hope Scott Chasin counts an explanation that something isn't a bug as
appropriate material for bugtraq.... :-)

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu