Server for NFS clears or does not permit you to set the Setuid bit or the Setgid bit (838238)


The information in this article applies to:

  • Microsoft Windows Storage Server 2003

SYMPTOMS

For files and directories that are group writable, or group executable, or world writable, or world executable, you may experience the following symptoms:
  • If you set either the setuid bit or the setgid bit, when you make the file or directory to be group writable or group executable or world writable or world executable, the bit is cleared.
  • If the file or directory is already group writable or group executable or world writable or world executable, you cannot set either the setuid bit or the setgid bit.

RESOLUTION

Hotfix Information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Prerequisites

No prerequisites are required.

Restart Requirement

You do not have to restart your computer after you apply this hotfix.

Hotfix Replacement Information

This hotfix replaces the following:

835152 CPU usage hits 100 percent if the system is low on memory and the Server for NFS service is running

File Information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   10-Mar-2004  09:16  7.1.2239.5        423,296  Nfssvr.sys

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article.

MORE INFORMATION

The issue with bit masking

As a result of the Microsoft Trustworthy Computing Initiative, Server for NFS has been changed to fix a known security issue in UNIX.

The bit masking in Server for NFS occurs only if the file or directory has both of the following characteristics:
  • One or both of the following bits is set: setgid or setuid.
  • The file or directory is group writable, or group executable, or world writable, or world executable.
The situation is exploited when an intruder overwrites the binary with a Trojan horse, and then executes the binary. The binary runs with the rights of the owner, instead of running as the intruder.

Some customers may find this security update problematic because the security update is different from the typical behavior of UNIX, although the typical behavior of UNIX is not specified in the Network File System (NFS) Request for Comments (RFC) 1813.

Disable safe bit masking

By default, safe bit masking is enabled. To disable the safe bit masking, add or modify the following registry value:

HKEY_LocalMachine\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits = (DWORD) 0

This registry value controls whether the setuid bit and the setgid bit are masked for security reasons.

Settings for this registry value may be as follows:
  • The default data for this registry value is 1.
  • A value of 1 causes the bits to be masked out for security reasons.
  • A value of 0 causes the standard UNIX behavior.
This hotfix also turns off bit masking for the setuid bit and the setgid bit for directories, because directories cannot be executed.
For additional information about a hotfix for the same issue on Services for UNIX versions 2.3 and 3.0, click the following article number to view the article in the Microsoft Knowledge Base:

825137 Server for NFS clears or does not permit you to set the Setuidbit or the Setgid bit

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Modification Type:MajorLast Reviewed:4/7/2006
Keywords:kbQFE KBHotfixServer kbfix kbBug KB838238 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.