fix: enforce per-file ownership check and clear setuid/setgid in chown()#361
Draft
toddr-bot wants to merge 1 commit intocpan-authors:mainfrom
Draft
fix: enforce per-file ownership check and clear setuid/setgid in chown()#361toddr-bot wants to merge 1 commit intocpan-authors:mainfrom
toddr-bot wants to merge 1 commit intocpan-authors:mainfrom
Conversation
POSIX chown(2) requires non-root callers to own the file before changing its group, even when the target gid is in their supplementary group list. The previous implementation checked group membership globally but never verified per-file ownership, allowing gid changes on files owned by other users. Additionally, POSIX mandates that setuid and setgid bits are cleared when a non-root user successfully calls chown(). This was not enforced. Changes: - Add per-file ownership check in the __chown loop (EPERM if non-root caller doesn't own the file and gid != -1) - Clear S_ISUID and S_ISGID mode bits on successful non-root chown - Define S_ISUID (04000) and S_ISGID (02000) constants - Add 4 new test subtests covering both bugs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes two POSIX compliance bugs in the mocked
chown()implementation.Why
Missing ownership check: Non-root users could change a file's gid even on files they don't own, as long as the target gid was in their group list. POSIX
chown(2)requires the caller to own the file.setuid/setgid bits not cleared: POSIX mandates that S_ISUID and S_ISGID are cleared when a non-root user calls chown(). This security semantic prevents privilege escalation via chowned setuid binaries.
How
$eff_uid == $mock->{'uid'}check inside the__chownloop for non-root gid changes (returns EPERM on mismatch)$mock->{'mode'} &= ~(S_ISUID | S_ISGID)after successful non-root chownS_ISUID(04000) andS_ISGID(02000) constants alongside existingS_IF*constantsTesting
t/chown.t: non-owner gid denied, setuid/setgid clearing, root preserves bits, multi-file partial successfh-ref-leak.tGH Spooky action-at-a-distance #179 failure)🤖 Generated with Claude Code