Use Setuid, Setgid, and Sticky Bits with Server for NFS

Applies To: Windows Server 2008 R2

Users of client computers can use the chmod utility to set the setuid (set-user-identifier-on-execution), setgid (set-group-identifier-on-execution), and sticky file mode bits on files or directories that are stored on an NTFS file system partition and shared through Server for NFS. When the file or directory is subsequently accessed by a UNIX-based client, the standard semantics for these bits will apply. For example, an executable file that has the setuid bit set will execute under the user ID (UID) of the file owner, not the UID of the user who is executing the file.

Typically, when the setuid or setgid bit is set on a file, the owner or group of the file is changed to the owner or group ID (GID) where the file will be executed. Unless a user has the right to restore files or directories, Windows security allows a user to take ownership of a file (if the file permissions allow it), but not to transfer ownership to a second user. Consequently, to use chown or chgrp to change the owner or group of a file to another user or group, you must have the privilege to restore files and directories. By default, this privilege is assigned to members of the Administrators and Backup Operators groups, although it can be assigned to other groups or to individual users. In addition, the account of the user running chown or chgrp and the user or group to whom ownership is being transferred must be properly mapped through Active Directory Lookup or User Name Mapping.

Some UNIX-based Network File System (NFS) servers apply special interpretations or restrictions for the setuid, setgid, and sticky bits. Some versions of UNIX, for example, enforce mandatory locking on a directory with the setgid bit set but no execute permissions. Server for NFS does not implement special interpretations or restrictions on using these bits.

Security issue

Typical UNIX setuid and setgid behavior present a known security issue in UNIX. An intruder can exploit setuid and setgid behavior by overwriting an executable file with a Trojan horse and then running the executable file. The executable file runs with the rights of the owner, instead of running as the intruder.

To prevent this known security issue, by default, setuid and setgid are disabled and will not affect the UID or GID settings if the file or directory has both of the following characteristics:

  • One or both of the following bits is set: setgid or setuid.

  • The file or directory is group writable, group executable, world writable, or world executable.

Some customers may find this security measure problematic because it is different from the typical behavior of UNIX, although the typical behavior of UNIX setuid and setgid is not specified as part of the NFS protocol.

Changing setuid and setgid behavior

Use the following procedure to change the behavior of the setuid and setgid bits:

To change setuid and setgid behavior

  1. Open Registry Editor.

  2. Set the following registry key:

    HKEY_Local_Machine\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits = (DWORD)

    • A value of 1 causes safer setuid and setgid behavior.

    • A value of 0 causes the standard UNIX behavior.

Additional references