John Murray · Sep 2, 2016 1m read

chown may clear the setuid and setgid bits on Caché executables

I was recently troubleshooting a problem on a Linux (RHEL) instance of 2016.1 at a site. For policy reasons their sysadmins wanted to update the Caché installation so it used network accounts for its cacheusr and iscagent users and groups instead of the locally-created ones that had been set up during original install of Caché.

To do this they ran various commands including chown

Afterwards non-root users couldn't obtain a terminal session using the csession command. Instead they receive this message:

cache: Permission denied

It turned out that the chown command cleared important setuid and setgid bits that had previously been set on certain files in the bin directory.

By consulting a working instance we were able to reinstate the correct bits.

I'm posting this article in case the information is useful to others in the future (including myself, when I forget that I once knew it).

0 512
Discussion (2)3
Log in or sign up to continue

Just for clarification, this is known behaviour:

info coreutils 'chown invocation':

   The `chown' command sometimes clears the set-user-ID or set-group-ID
permission bits.  This behavior depends on the policy and functionality
of the underlying `chown' system call, which may make system-dependent
file mode modifications outside the control of the `chown' command.
For example, the `chown' command might not affect those bits when
invoked by a user with appropriate privileges, or when the bits signify
some function other than executable permission (e.g., mandatory
locking).  When in doubt, check the underlying system behavior.