mv, cp, and sgid on directories (was: cp -p)

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Feb 9 12:26:57 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jonathan McKeown wrote:

> The bit that still worries me in this discussion is the sgid bit (pun not 
> intended, but I'm not going to delete it now!): as I understand it, creating 
> a file has different behaviour on SYSV-derived systems and Berkeley-derived 
> systems.
> 
> SYSV creates files group-owned by the creator's primary group.
> BSD creates files which inherit the group-ownership of the directory they are 
> created in.
> 
> SYSV behaviour can be changed to BSD behaviour per-directory, by using the 
> sgid bit on the directory.
> BSD behaviour can't be changed and the sgid bit on a directory is ignored.
> 
> Again, could someone confirm whether I'm talking nonsense here?

That's pretty much correct.  Some SysV-ish systems maintained the concept
of a 'current group' which you could switch your login session to, so
long as you were a member of the group in question and you knew the group
password (if any).  Any files you created would have ownership by your
current UID and GID. That, incidentally, is why there is a password field
in /etc/group at all.  It seems to be pretty much of historical interest
only nowadays -- personally I have never seen a system where group passwords
were ever actually used, and I'm not aware of any utility for manipulating
the passwords in /etc/group.

Anyhow, BSD-ish systems always had a different take on exactly how
group ownership of files and processes should work -- one which didn't
depend on the end user consciously remembering to switch current group
at the appropriate time.

There were various other differences in the way various programs worked in
this area. For instance in early versions of SysV it was possible for a
mortal user to give files away (ie. chown(1) a file they owned to another
user).  Needless to say that was pretty quickly recognised for the
security hole that it is and nowadays anything Unix-like will follow
the POSIX.2 standard where you have to be root to change file ownership.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHrZwJ8Mjk52CukIwRCJU5AKCM29geaM6fSjPs8NmTKWbUvhEfrwCeI0+X
FUdibti5cuxquQTDdSETDgA=
=oPMJ
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list