[Rpm-maint] [rpm-software-management/rpm] `removeSBITS()` return value ignored on multi-link setuid files (Issue #4200)

[Dan Anderson]

MillaFleurs created an issue (rpm-software-management/rpm#4200)

**Describe the bug**
In fsm.cc line 478 we have this comment here:

```cpp
	/* XXX TODO: actually check for the rc, but what to do there? */
```

This comment is around the fact that when rpm removes a file it strips the setuid/setguid bit before erasing or replacing in order to prevent surviving hardlinks from keeping priviledged mode bits.

I am providing a patch to fix this TODO / bug.  

**To Reproduce**
I'm attaching a file poc.sh.  Run poc.sh as root and you will create a hardlink 

**Expected behavior**
The hardlink should be stripped of the setuid bit.  Instead the hardlink keeps the setuid bit.  This can create a hidden bug.  Hardlink keeps the same inode.

So what should happen is the hardlink should have the setuid removed but instead it keeps it.

**Output**
>From my POC:

```bash
Before erase:
inode=52419 links=2 mode=4755 owner=root:root path=/tmp/tmp.4SVYjU1Jhd/root/opt/rpm1/suidbin
inode=52419 links=2 mode=4755 owner=root:root path=/tmp/tmp.4SVYjU1Jhd/root/tmp/suid_keepsake
rpm -e exit code: 0
After erase:
inode=52419 links=1 mode=4755 owner=root:root path=/tmp/tmp.4SVYjU1Jhd/root/tmp/suid_keepsake
```

```/tmp/suid_keepsake``` remains setuid set.  

**Environment**
 - OS / Distribution: CentOS Stream release 10 (Coughlan)
 - Version RPM version 4.19.1.1

**Additional context**
Bug found using the [N184 Bug and Vulnerability Scanner](https://github.com/MillaFleurs/N184)


-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4200
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/4200 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260504/438640f9/attachment.htm>