SUID, SGID, and sticky bit clearing on writes
SCO systems guarantee that the SUID, SGID
and sticky bits are cleared on files that are written.
This prevents users from substituting another program in the file to take
advantage of its SUID or SGID bits (which they
could not otherwise set).
An SUID bit shows as an ``s'' in the permissions of a file. Example 5-1 demonstrates bit clearing twice (user input is in boldface).
Example 5-1 Bit clearing examples
iduid=76(blf) gid=11(guru) $
ls -l myprogram-rwsrwsrwt 1 root bin 10240 Jan 11 22:45 myprogram $
cat sneakyprog > myprogram$
ls -l myprogram-rwxrwxrwx 1 root bin 10240 Mar 18 14:18 myprogram $
ls -l anotherprog-rws------ 1 blf guru 83706 Dec 15 1987 anotherprog $
ls -l anotherprog-rwx------ 1 blf guru 17500 Mar 18 14:19 anotherprog
In the example, user blf (the id(C) utility was used to show the identity) first uses the cat utility to replace the contents of the file myprogram. The SUID bit is removed during this process. The second example demonstrates that the bit clearing is even done on files owned by the same user. When blf strips the file (removing the debugging information in a compiled binary file), the SUID bit is also removed. You should be aware that the clearing happens when files are replaced. Adjust any installation scripts to reset the proper modes. With this feature, you can place these bits on user programs without fear that the user can switch programs in the same file.
The SUID, SGID, and sticky bits are not cleared on directories. The SUID bit has no meaning for directories, and both the SGID and sticky bits have a meaning for directories that warrant their remaining there.