Microsoft KB Archive/838238

= Server for NFS clears or does not permit you to set the Setuid bit or the Setgid bit =

Article ID: 838238

Article Last Modified on 11/15/2007

-

APPLIES TO


 * Microsoft Windows Storage Server 2003

-





SYMPTOMS
For files and directories that are group writable, or group executable, or world writable, or world executable, you may experience the following symptoms:
 * If you set either the setuid bit or the setgid bit, when you make the file or directory to be group writable or group executable or world writable or world executable, the bit is cleared.
 * If the file or directory is already group writable or group executable or world writable or world executable, you cannot set either the setuid bit or the setgid bit.



Hotfix Information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that this article describes. Apply this hotfix only to systems that are experiencing this specific problem.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
No prerequisites are required.

Restart Requirement
You do not have to restart your computer after you apply this hotfix.

Hotfix Replacement Information
This hotfix replaces the following:

835152 CPU usage hits 100 percent if the system is low on memory and the Server for NFS service is running

File Information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size    File name --  10-Mar-2004  09:16  7.1.2239.5        423,296  Nfssvr.sys



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section of this article.



The issue with bit masking
As a result of the Microsoft Trustworthy Computing Initiative, Server for NFS has been changed to fix a known security issue in UNIX.

The bit masking in Server for NFS occurs only if the file or directory has both of the following characteristics:
 * One or both of the following bits is set: setgid or setuid.
 * The file or directory is group writable, or group executable, or world writable, or world executable.

The situation is exploited when an intruder overwrites the binary with a Trojan horse, and then executes the binary. The binary runs with the rights of the owner, instead of running as the intruder.

Some customers may find this security update problematic because the security update is different from the typical behavior of UNIX, although the typical behavior of UNIX is not specified in the Network File System (NFS) Request for Comments (RFC) 1813.

Disable safe bit masking
By default, safe bit masking is enabled. To disable the safe bit masking, add or modify the following registry value:

This registry value controls whether the setuid bit and the setgid bit are masked for security reasons.

Settings for this registry value may be as follows:
 * The default data for this registry value is 1.
 * A value of 1 causes the bits to be masked out for security reasons.
 * A value of 0 causes the standard UNIX behavior.

This hotfix also turns off bit masking for the setuid bit and the setgid bit for directories, because directories cannot be executed.



For additional information about a hotfix for the same issue on Services for UNIX versions 2.3 and 3.0, click the following article number to view the article in the Microsoft Knowledge Base:

825137 Server for NFS clears or does not permit you to set the Setuidbit or the Setgid bit

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbqfe kbhotfixserver kbfix kbbug KB838238

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.