1
When I invoke cp -a 1 2 from a non-root user, the ownership is being preserved, despite the fact that file 1 belongs to another user. My understanding was this shouldn't be possible.
What is going on?
Matt Joiner
Posted 2011-07-01T00:49:43.333
Reputation: 825
0
Make sure the cp binary doesn't have the setuid bit set...
$ ls -l /bin/cp /tmp/badcp1
-rwxr-xr-x 1 root root 103K Jul 1 11:59 /bin/cp
-rwsr-xr-x 1 root root 103K Jul 1 11:59 /tmp/badcp1
^
...and that it doesn't have any special capabilities assigned:
$ getcap /tmp/badcp2
/tmp/badcp2 = cap_chown,cap_fowner+eip
If either is true, this question is a good start.
user1686
Posted 2011-07-01T00:49:43.333
Reputation: 283 655
No to both cases. – Matt Joiner – 2011-07-04T02:35:07.080
Interesting. Can you successfully run
chown(either the command or the programming function) on a file in the target filesystem? What type is the target filesystem? Are you sure that your uid is not 0? – user1686 – 2011-07-04T09:34:03.373@Matt: also, even if you don't have getcap, the OS feature is still there. An attacker may have brought their own copy of libcap2-bin. A good test is
cat /bin/cp > /tmp/cp; chmod +x /tmp/cp, then try to use the /tmp/cp -a command to copy files and see if the strange behavior persists. – user1686 – 2011-07-04T10:43:41.997