On Mon, Sep 11, 2000 at 01:54:08PM -0700, Scott Smith wrote:
> what's up with this? done on a coda volume..

Yes, setuid is bad, it was introduced at some point only because of
experimentation with `netbooting' Coda, i.e. running a whole system
chrooted into /coda as soon as possible.

> ensomnia:tmp {15} id
> uid=1000(scott) gid=100(users) groups=100(users), 0(wheel)
> ensomnia:tmp {16} gcc thing.c
> ensomnia:tmp {17} ls -l a.out
> -rwxr-xr-x  1 scott  nobody  3512 Sep 11 11:48 a.out*
> ensomnia:tmp {18} chown root a.out

This is AFAIK only possible because you are a member of the
System:Administrators group, which is the Coda equivalent of `root'. A
bigger problem is when one has root access on some machine with a
non-administrator token and creates the script while fully connected.

> ensomnia:tmp {19} chmod 4755 a.out

This setattr call will be blocked in 5.3.9 (EPERM).

> ensomnia:tmp {20} ls -l a.out
> -rwsr-xr-x  1 root  nobody  3512 Sep 11 11:48 a.out*

Any modebits returned by servers will be stripped by anding them with 0777.

If people still want to use `setuid' applications in Coda they will have
to set up a setuid wrapper on a local filesystem, which imposes `local'
policy and restrictions.

i.e.

 -rwxr-xr-x  1 root  nobody  3512 Sep 11 11:48 a.out -> /bin/setuid-wrapper
 -rwxr-xr-x  1 root  nobody  3512 Sep 11 11:48 a.out.real*

And /bin/setuid-wrapper could be something like,

    #!/bin/sh
    bin = "$0.real"
    if [ -x "$bin" ];
	sudo "$bin" $*
    fi

Jan