freebsd stable - Jan 2006 - [5.4] mode bits changed by close(2)

I've found an interesting little quirk that doesn't seem like it
should be working this way.  If I:

	fd = open(file)
	write(fd, data)
	fchmod(fd, 04711) /* or anything set{u,g}id */
	close(fd)

The set{u,g}id bits get cleared by the close, but only if the amount
of data is not a multiple of the page size, and the target file is on
an nfs mount.  It would seem to reduce the utility of fchmod()
somewhat....

A demonstration program is included below.  I've verified this on a
fairly recently 5.4 client system, with both Linux and FBSD 5.4 NFS
servers.  I don't have 6 or -current available to me at the moment.
There's the obvious work-around of doing a chmod() after the close,
but that has security implications.

Sticking an fsync() in between the fchmod() and the close() causes the
bits to be cleared as a side-effect of the fsync().  Doing another
fchmod() after the fsync() produces the final expected set{u,g}id
results even after the close.  Unfortunately, fsync() is a rather
expensive operation.

	Dworkin
===============================================================#include
<stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>

char buf[25 * 1024];

int
main(int argc, char **argv)
{
	int fd;
	int count;
	char *file;
	struct stat sbuf;

	if (argc != 2) {
		fprintf(stderr, "usage: %s /file/name\n", argv[0]);
		exit(1);
	}

	file = argv[1];
	fd = open(file, O_RDWR | O_CREAT, 0666);
	if (fd == -1) {
		fprintf(stderr, "could not open %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	if (write(fd, buf, sizeof (buf)) == -1) {
		fprintf(stderr, "could not write to %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	if (fstat(fd, &sbuf) == -1) {
		fprintf(stderr, "could not fstat %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	printf("Initial permissions: 0%o\n", sbuf.st_mode & ALLPERMS);

	if (fchmod(fd, 04711) == -1) {
		fprintf(stderr, "could not fchmod %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	if (fstat(fd, &sbuf) == -1) {
		fprintf(stderr, "could not fstat %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	printf("After write: 0%o\n", sbuf.st_mode & ALLPERMS);

	if (close(fd) == -1) {
		fprintf(stderr, "could not close %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	if (stat(file, &sbuf) == -1) {
		fprintf(stderr, "could not stat %s: %s\n",
		    file, strerror(errno));
		exit(1);
	}

	printf("After close: 0%o\n", sbuf.st_mode & ALLPERMS);

	exit(0);
}

On Saturday 28 January 2006 07:31, dlm-fb@weaselfish.com
wrote:
> A demonstration program is included below.  I've verified this on a
> fairly recently 5.4 client system, with both Linux and FBSD 5.4 NFS
> servers.  I don't have 6 or -current available to me at the moment.
> There's the obvious work-around of doing a chmod() after the close,
> but that has security implications.
I tested it on a 6.0 server with a -current client..
[inchoate 8:55] /remotehome/darius >~/test ./foo
Initial permissions: 0644
After write: 04711
After close: 0711

:(

I also get the same result with a loopback NFS mount on -current.

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060128/a7ca0892/attachment.bin

On Fri, Jan 27, 2006 at 02:01:19PM -0700, dlm-fb@weaselfish.com
wrote:
> Sticking an fsync() in between the fchmod() and the close() causes the
> bits to be cleared as a side-effect of the fsync().  Doing another
> fchmod() after the fsync() produces the final expected set{u,g}id
> results even after the close.  Unfortunately, fsync() is a rather
> expensive operation.
There is code to clear the suid bits on a file when it is written
to, and I guess this is being triggered when the write is flushed
rather than when the write call is made. This would explain why
flushing before the fsync stops the problem.

I've a feeling that it may be difficult to fix this and still have
the suid bits cleared if someone writes to a file via mmap, but I'm
not completly sure.

	David.