Setgid/Setuid does not work against a NFS share hosted on Windows 2012
One of our customer recently reported issue where setgid/setuid was not working against a NFS share hosted on Windows 2012. Below are two images which shows the expected behaviour while SGID is set on a local share v/s the unexpected behaviour over a NFS share.
Through our investigation we could see that the behaviour with the setgid which is been observed is by design and in compliance with the NFS protocol. This is same for Microsoft Windows NFS Server (both v3 and v4.1). Per Windows NFS Server’s design, newly created files will always be owned by the user/group that issued the CREATE request; in particular, it does not the owner, group, or mode bits of the parent directory into consideration creating the ACL for the newly created file, nor does the NFS specification require NFS servers to do so. There is an KB article https://support.microsoft.com/kb/951716
Inputs on the SafeSetUidGidBits registry:
The article https://technet.microsoft.com/en-us/library/cc731734.aspx talks about a registry key HKEY_Local_Machine\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits = (DWORD)
A value of 1 causes safer setuid and setgid behavior.
A value of 0 causes the standard UNIX behavior.
The SafeSetUidGidBits controls whether the NFS Server will filter out the SetUID/SetGID bits from executable non-directory files when everybody or the file’s group is granted write access to the file.
If a file is writable by somebody other than the file’s owner, then somebody can replace the file with different contents.
If the file is executable by somebody other than the file’s owner and the file has the SetUID bit set, executing the modified file contents will potentially execute the modified file with alternate user credentials, resulting as a potential elevation of privilege vulnerability.
As such, when SafeSetUidGidBits is enabled (the default), then NFS server will tell the NFS clients that the SetUID/SetGID mode bits aren’t set so that any client executing the program will execute with the user’s credentials rather than alternate credentials.