grsecurity forums

[Kyoshiro]

Whenever I have a setgid file, grsec disallows any chmod of this file if there's no 'm' access to the object. For example I do a chmod o+rx on :

drwxr-s--- 5 user www-data 4,0K 2005-01-17 21:10 html/
(restricted:G:/) denied chmod of /home/.../html by /bin/chmod[chmod:29321] ...

But chmod g-s is allowed and then I can do chmod o+rx for example.

Maybe it is related to the fact that chmod wants to remove the setgid mode when changing the mode of html ? Or is it standard behavior to deny chmod on setgid/setuid files when there's not the 'm' flag on that file ?

BTW, is there a way to disallow setgid bit removal ? Is it possible to add current and wanted modes in grsec logs when a chmod is denied ?

[spender]

The reason is that when you do a chmod o+x on a file, you're getting the current permissions, modifying that to include o+x, and setting that entire permission on the file. So, if the file already has +s, you're setting it again when you chmod o+x. There are advantages to having it this way, say if you had some file:
rwsr-x--- buggysuidapp

Requiring m to chmod this file would keep someone from making it world-executable.

-Brad

[Kyoshiro]

That's what I though later . Thanks for the explanation.

My last question remain: is it possible to add current and wanted modes in grsec logs when a chmod is denied ? It'd be useful to see what the user wanted to do.