I just pushed a couple of patches upstream that we should backport for the next RHEL updates. I suspect that Bruce will push them for 2.6.26. Here is the description of the problem: Currently, knfsd only clears the setuid bit if the owner of a file is changed on a SETATTR call, and only clears the setgid bit if the group is changed. POSIX says this in the spec for chown(): "If the specified file is a regular file, one or more of the S_IXUSR, S_IXGRP, or S_IXOTH bits of the file mode are set, and the process does not have appropriate privileges, the set-user-ID (S_ISUID) and set-group-ID (S_ISGID) bits of the file mode shall be cleared upon successful return from chown()." If I'm reading this correctly, then knfsd is doing this wrong. It should be clearing both the setuid and setgid bit on any SETATTR that changes the uid or gid. This wasn't really as noticable before, but now that the ATTR_KILL_S*ID bits are a no-op for the NFS client, it's more evident.
Created attachment 303510 [details] patch -- revoke both setuid and setgid on uid/gid changes
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in kernel-2.6.18-99.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment not mirrored from IT: ------- Comment From sijo.george.com 2008-11-05 01:53 EDT------- The bug still exists on RHEL 5.3 Beta. ------------------------------- [root@qs22-3 bin]# ./fchown03 fchown03 1 FAIL : testfile: Incorrect mode permissions 0104770, Expected 0100770 [root@qs22-3 bin]# uname -a Linux qs22-3.ltc.austin.ibm.com.ltc.austin.ibm.com 2.6.18-120.el5 #1 SMP Fri Oct 17 18:06:21 EDT 2008 ppc64 ppc64 ppc64 GNU/Linux [root@qs22-3 bin]# cat /etc/issue Red Hat Enterprise Linux Server release 5.3 Beta (Tikanga) Kernel r on an m [root@qs22-3 bin]# ----------------------------------- Regards: Sijo This event sent from IssueTracker by balkov issue 179301
Works for me on -122.el5: # mount -t nfs localhost:/export /mnt/test # touch /export/testfile # chown root:root /export/testfile # chmod 6755 /export/testfile # ls -l /mnt/test/testfile -rwsr-sr-x 1 root root 24 Oct 28 21:57 /mnt/test/testfile # chown testuser /mnt/test/testfile # ls -l /mnt/test/testfile -rwxr-xr-x 1 testuser root 24 Oct 28 21:57 /mnt/test/testfile ...I get the same file mode when I chgrp the file instead here too. This sure looks like it's fixed to me. What exactly does "fchown03" do?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2009-0225.html