Description
Solaris can be configured so that user 'A' is able to allow access of their files to another user 'B'. Under such conditions, when user A uses gzip(1) to compress a file 'F' which belongs to user B, gzip first creates the 'F.gz' file belonging to user A and then attempts to allow access for the zipped file to user B. However, Solaris 10 with certain patches and Solaris 11.1 have an issue whereby gzip is then unable to change permissions on the 'F.gz' file. This results in the zipped file 'F.gz' having permissions erroneously set to 600.
Occurrence
This issue can occur in the following releases:
SPARC Platform
•Solaris 10 with patch 120719-03 or later
•Solaris 11.1 or later
x86 Platform
•Solaris 10 with patch 120720-03 or later
•Solaris 11.1 or later
Notes:
1. Solaris 8 and 9 are not impacted by this issue.
2. This issue only impacts systems which have been configured so that user 'A' is able to allow access of their files to another user 'B'.
There are two ways to configure a system so that this is true:
A) Using the 'norstchown' mount option. To determine if a system has been configured this way, execute the following command:
a1) non-ZFS mounts
$ /usr/sbin/mount | grep norstchown
/mnt on /dev/.... read/write/.../norstchown/... on Tue Nov 26 14:14:48 2013
a2) ZFS mounts
$ /usr/sbin/zpool list -H -o name | while read POOL; do /usr/sbin/zfs get -r rstchown "$POOL" | perl -ne 'print if m/\srstchown\s+off/' ; done
rpool/test rstchown off local
OR:
B) Setting the 'file_chown_self' privilege for user 'A'. To determine if a process has this privilege, execute the following command:
$ ppriv $$
1653: -bash
flags = <none>
E: basic,file_chown_self
I: basic,file_chown_self
P: basic,file_chown_self
L: all
Symptoms
Should the described issue occur, gzip(1) reports an an error similar to the following:
gzip: F.gz: Not owner
File 'F.gz' is generated, but the file permissions differ from the original file 'F'.
Workaround
If user 'A' is compressing files belonging to users other than 'root', you may for example use the following:
echo "GZIP workaround:::profile giving /usr/bin/gzip ability to ignore file permissions:" >> /etc/security/prof_attr
echo "GZIP workaround:solaris:cmd:::/usr/bin/gzip:privs=file_owner" >> /etc/security/exec_attr
usermod -P 'GZIP workaround' A # A is username
If user 'A' is compressing files belonging to 'root', he needs elevated permissions:
echo 'GZIP workaround:suser:cmd:::/usr/bin/gzip:euid=0' > /etc/security/exec_attr
Solaris can be configured so that user 'A' is able to allow access of their files to another user 'B'. Under such conditions, when user A uses gzip(1) to compress a file 'F' which belongs to user B, gzip first creates the 'F.gz' file belonging to user A and then attempts to allow access for the zipped file to user B. However, Solaris 10 with certain patches and Solaris 11.1 have an issue whereby gzip is then unable to change permissions on the 'F.gz' file. This results in the zipped file 'F.gz' having permissions erroneously set to 600.
Occurrence
This issue can occur in the following releases:
SPARC Platform
•Solaris 10 with patch 120719-03 or later
•Solaris 11.1 or later
x86 Platform
•Solaris 10 with patch 120720-03 or later
•Solaris 11.1 or later
Notes:
1. Solaris 8 and 9 are not impacted by this issue.
2. This issue only impacts systems which have been configured so that user 'A' is able to allow access of their files to another user 'B'.
There are two ways to configure a system so that this is true:
A) Using the 'norstchown' mount option. To determine if a system has been configured this way, execute the following command:
a1) non-ZFS mounts
$ /usr/sbin/mount | grep norstchown
/mnt on /dev/.... read/write/.../norstchown/... on Tue Nov 26 14:14:48 2013
a2) ZFS mounts
$ /usr/sbin/zpool list -H -o name | while read POOL; do /usr/sbin/zfs get -r rstchown "$POOL" | perl -ne 'print if m/\srstchown\s+off/' ; done
rpool/test rstchown off local
OR:
B) Setting the 'file_chown_self' privilege for user 'A'. To determine if a process has this privilege, execute the following command:
$ ppriv $$
1653: -bash
flags = <none>
E: basic,file_chown_self
I: basic,file_chown_self
P: basic,file_chown_self
L: all
Symptoms
Should the described issue occur, gzip(1) reports an an error similar to the following:
gzip: F.gz: Not owner
File 'F.gz' is generated, but the file permissions differ from the original file 'F'.
Workaround
If user 'A' is compressing files belonging to users other than 'root', you may for example use the following:
echo "GZIP workaround:::profile giving /usr/bin/gzip ability to ignore file permissions:" >> /etc/security/prof_attr
echo "GZIP workaround:solaris:cmd:::/usr/bin/gzip:privs=file_owner" >> /etc/security/exec_attr
usermod -P 'GZIP workaround' A # A is username
If user 'A' is compressing files belonging to 'root', he needs elevated permissions:
echo 'GZIP workaround:suser:cmd:::/usr/bin/gzip:euid=0' > /etc/security/exec_attr
No comments:
Post a Comment