RE: Curious fileutils/coreutils behaviour.

[Michael Wojcik <Michael.Wojcik () microfocus com>]

> From: David Malone [mailto:dwmalone () cnri dit ie] 
> Sent: Thursday, May 13, 2004 12:49 PM
>
> Solaris, AIX, and FreeBSD all seem to have less suprising behaviour
> for chown and chmod and provide a "-h" flag for chowning a symlink
> rather than its target. Fileutils also has a "-h" flag, but it is
> the default for chown, so you need to say "--dereference" to get
> it to operate on the target.
>
> While this choice of default isn't clearly wrong...

It's pretty clear to me that it's wrong.  It's inconsistent (with the other
utilities) and counterintuitive, which is a major security risk for a
security-sensitive utility.  Changing ownership of a symlink is rarely
useful,(*) so it makes the less-desirable behavior the default.  It operates
differently from other implementations of the chown command, and requires a
nonstandard and implausible flag to force the de facto standard behavior.
That's three strikes against it; it's out.

Of course, changing the default behavior could have adverse effects on shell
scripts and slow learners, so simply correcting it is likely to cause some
grief.  IMO it's worth it in a case like this.

(*)Contrary to the FAQ entry you cited, it is sometimes useful to change the
ownership of a symlink.  Since the owner of a symlink can be detected by a
program, there can exist programs which depend on it.  Consider a script
which uses "find -user x" for some purpose, for example, or the behavior of
directories with the sticky bit set.  Also, there was recently a discussion
of a real-world case on comp.unix.aix where the use of the -h flag behavior
(change link rather than target) would have avoided unfortunate
consequences.  The text of the FAQ entry is a classic case of failing to
consider all the consequences of an action and attending only to the most
obvious ones - a common security error.


-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus