From: Andries.Brouwer@cwi.nl

jpcartal@free.fr writes:

	I noticed that contrary to what was happening with 2.4.x kernel, suid 
	root files don't loose their suid bit when they get overwritten by a 
	normal user (see example below)

	Is this the intended behaviour or a bug ?

	Example :

	[root@localhost test]# chown root ~cartaljp/test/suid_test
	[root@localhost test]# chmod 4775 ~cartaljp/test/suid_test
	[root@localhost test]# exit
	[cartaljp@localhost test]$ cp /bin/ls suid_test
	[cartaljp@localhost test]$ ls -l
	total 72
	-rwsrwxr-x    1 root     cartaljp    67668 Sep 19 07:56 suid_test <- 
	Suid bit is still set whereas with 2.4.x kernel it was reset.

Yes. Here 2.4 had the terrible code

     mode = (inode->i_mode & S_IXGRP)*(S_ISGID/S_IXGRP) | S_ISUID;

while 2.6 does things via notify_change().  However, in 2.6 notify_change()
does not allow removal of the SUID bit because you are not owner of the
file :-).  So, we have to convince inode_change_ok() to do it anyway.



 mm/filemap.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff -puN mm/filemap.c~setuid-removal-fix mm/filemap.c
--- 25/mm/filemap.c~setuid-removal-fix	2003-09-21 09:35:55.000000000 -0700
+++ 25-akpm/mm/filemap.c	2003-09-21 09:35:55.000000000 -0700
@@ -1451,7 +1451,7 @@ void remove_suid(struct dentry *dentry)
 
 	/* was any of the uid bits set? */
 	if (mode && !capable(CAP_FSETID)) {
-		newattrs.ia_valid = ATTR_KILL_SUID | ATTR_KILL_SGID;
+		newattrs.ia_valid = ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_FORCE;
 		notify_change(dentry, &newattrs);
 	}
 }

_