| View previous topic :: View next topic |
| Author |
Message |
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
 Posted: Mon Apr 19, 2004 12:31 am Post subject: WHAT THE? normal user can remove root owned files!!! |
 |
|
um... am I just going totally insane or should this be absolutely impossible!
| Quote: |
Total translation table size: 0
Total rockridge attributes bytes: 226773
Total directory bytes: 581632
Path table size(bytes): 2254
Max brk space used 1ac000
332221 extents written (648 Mb)
radiance testiso # exit
logout
bash-2.05b$ ls
deb.iso deb2.iso
bash-2.05b$ ls -l
total 1328264
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
-rw-r--r-- 1 root root 680388608 Apr 19 10:25 deb2.iso
bash-2.05b$ mv deb2.iso old_mdk.iso
bash-2.05b$ ls -l
total 1328264
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
-rw-r--r-- 1 root root 680388608 Apr 19 10:25 old_mdk.iso
bash-2.05b$ ls -l
total 1328264
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
-rw-r--r-- 1 root root 680388608 Apr 19 10:25 old_mdk.iso
bash-2.05b$ rm old_mdk.iso
rm: remove write-protected regular file `old_mdk.iso'? y
bash-2.05b$ ls -l
total 663164
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
bash-2.05b$ ls -l
total 663164
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
bash-2.05b$
|
see what happened???
I created an iso as root, in a subdirectory under my home directory.
then I exited from superuser mode, so that I'd be back in the directory I had told it to make it in.
I renamed it, after realising it was a mis-labelled cd, and THEN realised that I had just renamed a file as a regular user that the permissions stated I only had read access to...
So then I thought I'd try deleting it, and after a warning it let me.
WHAT THE HELL IS GOING ON!
here is the relevant line for the partition the file was on from my fstab:
| Quote: |
/dev/hdb1 /home/eccles/multimedia ext3 defaults 0 0
|
as you can see there are no weird permissions or setuids or anything like that. (not that that should allow a user to do what I did - but I thought ppl might ask)...
so... um... WHAT IS GOING ON?
has my system been compromised or something?
thanks,
eccles
[/quote] |
|
| Back to top |
|
 |
Voltago
Advocate
Joined: 02 Sep 2003
Posts: 2593
Location: userland
|
| Posted: Mon Apr 19, 2004 12:40 am Post subject: |
|
|
What is the result of
? |
|
| Back to top |
|
|
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
| Posted: Mon Apr 19, 2004 12:41 am Post subject: |
|
|
| Quote: |
radiance dvd # groups eccles
lp wheel audio games users fsmount
|
ie I am not in the group root...
(if that's what you were thinking)
I should have mentioned that before
 |
|
| Back to top |
|
|
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
| Posted: Mon Apr 19, 2004 12:43 am Post subject: |
|
|
also - I should mentioned that the directory I was in at the time was:
| Quote: |
/home/eccles/multimedia/[ISO]Linux
|
so it was under my home directory, but again that should make zero difference.... if a file is owned by root, and only writable by root, then I do not expect to be able to change or remove it as a regular user... |
|
| Back to top |
|
|
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
| Posted: Mon Apr 19, 2004 12:53 am Post subject: |
|
|
this IS repeatable also... look at this...
I just created another iso of the CD... and then:
| Quote: |
bash-2.05b$ cd /home/eccles/multimedia/\[ISO\]Linux/
bash-2.05b$ ls -l
total 1328264
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
-rw-r--r-- 1 root root 680388608 Apr 19 10:54 test.iso
bash-2.05b$ lsattr
------------- ./deb.iso
------------- ./test.iso
bash-2.05b$ echo "test" >> test.iso
bash: test.iso: Permission denied
bash-2.05b$ mv test.iso test1.isop
bash-2.05b$ ls -l
total 1328264
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
-rw-r--r-- 1 root root 680388608 Apr 19 10:54 test1.isop
bash-2.05b$ mv test1.isop test0.iso
bash-2.05b$ ls -l
total 1328264
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
-rw-r--r-- 1 root root 680388608 Apr 19 10:54 test0.iso
bash-2.05b$ head -n2 test0.iso
CD001LINUX CDROM d"½
( MKISOFS ISO 9660/HFS FILESYSTEM BUILDER & CDRECORD CD-R/DVD CREATOR (C) 1993 E.YOUNGDALE (C) 1997 J.PEARSON/J.SCHILLING 2004041910515600(2004041910515600(00000000000000002004041910515600( ÿCD001MKI Mon Apr 19 10:51:56 2004
mkisofs 2.01a24 -R -o .../test.iso .../dvdKDOrDOSUTILSvIMAGESwLNX4WIyMANDRAKE3MIS▒RR_MOVEDLINSTALsH VI_VN.TCV VI_VN.VIS ZH_CN.GB2 ZH_TW.BIGO BGP BRQ CAR CSS DAT DEU ELV EOW ESX ETY EUZ FI[ FR\ GA] GL^ HR_ HU` IDa IMAGESb ITc LTd NLe NOf PLg PTh PT_BRi RUj SKk SRl SVm TRn Uo UK_CP125p ZH_CNq ZH_TWt
bash-2.05b$ echo "1" >> test0.iso
bash: test0.iso: Permission denied
bash-2.05b$ echo "1" > test0.iso
bash: test0.iso: Permission denied
bash-2.05b$ cat deb.iso > test0.iso
bash: test0.iso: Permission denied
bash-2.05b$ rm test0.iso
rm: remove write-protected regular file `test0.iso'? y
bash-2.05b$ ls -l
total 663164
-rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
|
(I spaced it out a bit to make it easier to follow).
what is going on?
this is so weird.
Last edited by eccles23 on Mon Apr 19, 2004 12:56 am; edited 1 time in total |
|
| Back to top |
|
|
solomonHk
Apprentice
Joined: 28 Mar 2004
Posts: 226
Location: int main(void) { };
|
| Posted: Mon Apr 19, 2004 12:55 am Post subject: |
|
|
| What are the permissions on the actual file? It may be different in shared web administration, but If I root, on a server to a users home directory (which is their virtual webspace) and I create a file, lets say x.x. On my system, it automatically creates the file with 777 so that the user for that home can open it. In order to protect it, I have to go in and chmod it manually or create it in root and them copy it to the users home dir thus copying permissions. Of course, this could be just how I have file creation set up on that particular server. Been forever since I configed it, but it may also be in the shared hosting configs. |
|
| Back to top |
|
|
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
| Posted: Mon Apr 19, 2004 12:59 am Post subject: |
|
|
and check this one out...
| Quote: |
radiance dvd # ls
COPYING Mandrake RPM-GPG-KEYS VERSION autorun.inf doc dosutils images index.htm install.htm lnx4win misc rr_moved
radiance dvd # cat VERSION > /home/eccles/VERSION
radiance dvd # exit
logout
bash-2.05b$ cd /home/eccles
bash-2.05b$ ls -l VERSION
-rw-r--r-- 1 root root 31 Apr 19 11:01 VERSION
bash-2.05b$ echo "blah" >> VERSION
bash: VERSION: Permission denied
bash-2.05b$ mv VERSION version
bash-2.05b$ ls -l | grep -i version
-rw-r--r-- 1 root root 31 Apr 19 11:01 version
bash-2.05b$ rm version
rm: remove write-protected regular file `version'? y
bash-2.05b$ ls -l | grep -i version
bash-2.05b$
|
|
|
| Back to top |
|
|
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
| Posted: Mon Apr 19, 2004 1:01 am Post subject: |
|
|
SolomonHk:
the permissions on the file were 644... (ie rw-r--r--)
so I, as a global user (not an owner or group member, should only have had read access). |
|
| Back to top |
|
|
solomonHk
Apprentice
Joined: 28 Mar 2004
Posts: 226
Location: int main(void) { };
|
| Posted: Mon Apr 19, 2004 1:04 am Post subject: |
|
|
Yeah i see that now with | Code: | -rw-r--r-- 1 eccles users 678412288 Apr 19 10:11 deb.iso
|
Gonna take a second look at my box to see whats up. |
|
| Back to top |
|
|
solomonHk
Apprentice
Joined: 28 Mar 2004
Posts: 226
Location: int main(void) { };
|
| Posted: Mon Apr 19, 2004 1:13 am Post subject: |
|
|
Ok, I still think it goes by owner of that home directory.
exempli gratia:
I logged into root and navigated to a user on my server, derekmcc's, home folder. Inside I created a file "test.x."
The permissions were the following:
| Code: | login as: root
root@****.com's password:
root@fusion [~/home/derekmcc]# vi test.x
root@fusion [~/home/derekmcc]# ls -l
total 144
drwx--x--x 13 derekmcc derekmcc 4096 Apr 18 20:07 ./
drwx--x--x 601 root root 16384 Apr 17 13:27 ../
-rw------- 1 derekmcc derekmcc 957 Jun 9 2003 .accesshash
-rw------- 1 derekmcc derekmcc 3759 Apr 13 20:51 .bash_history
-rwxr-xr-x 1 derekmcc derekmcc 13044 Jan 7 00:55 feet*
-rw-r--r-- 1 derekmcc derekmcc 30 Apr 18 19:59 .lastlogin
drwxr-xr-x 3 derekmcc derekmcc 4096 Jun 5 2003 public_ftp/
drwxr-x--- 6 derekmcc nobody 4096 Apr 8 23:16 public_html/
-rw------- 1 derekmcc derekmcc 24 Oct 30 22:43 .spamkey
drwx------ 2 derekmcc derekmcc 4096 Jul 30 2003 .sqmaildata/
-rwxr-xr-x 1 derekmcc derekmcc 12980 Jan 7 00:28 test*
-rw-r--r-- 1 derekmcc derekmcc 181 Jan 7 00:28 test.c
-rw-r--r-- 1 root root 0 Apr 18 20:07 test.x
drwx------ 7 derekmcc derekmcc 4096 Mar 9 16:25 tmp/
drwx------ 2 derekmcc derekmcc 4096 Jul 30 2003 .trash/
-rw------- 1 derekmcc derekmcc 4347 Apr 8 21:44 .viminfo
lrwxrwxrwx 1 derekmcc derekmcc 11 Oct 15 2003 www -> public_html/
root@fusion [~/home/derekmcc]#
|
See the file:
| Code: | | -rw-r--r-- 1 root root 0 Apr 18 20:07 test.x |
I then logged into the server as derekmcc, and not using root password, and was sucessfully able to kill the file. |
|
| Back to top |
|
|
eccles23
n00b
Joined: 03 Mar 2004
Posts: 9
|
| Posted: Mon Apr 19, 2004 1:21 am Post subject: |
|
|
oh!!!
well thanks for that 
I never knew that was possible! (and I have been using linux for a few years).
thanks again |
|
| Back to top |
|
|
solomonHk
Apprentice
Joined: 28 Mar 2004
Posts: 226
Location: int main(void) { };
|
| Posted: Mon Apr 19, 2004 1:22 am Post subject: |
|
|
No problem, bud. Hey, I gotta do something to offset my obsessive trolling, right?  |
|
| Back to top |
|
|
nbensa
l33t
Joined: 10 Jul 2002
Posts: 799
Location: Buenos Aires, Argentina
|
| Posted: Mon Apr 19, 2004 1:23 am Post subject: |
|
|
| It doesn't matter what permisions the file has. If it the directory is owned by you, and you have write permision on the directory, you can delete whatever you want there. |
|
| Back to top |
|
|
solomonHk
Apprentice
Joined: 28 Mar 2004
Posts: 226
Location: int main(void) { };
|
| Posted: Mon Apr 19, 2004 1:26 am Post subject: |
|
|
| nbensa wrote: | | It doesn't matter what permisions the file has. If it the directory is owned by you, and you have write permision on the directory, you can delete whatever you want there. |
So,...
| Quote: | | Ok, I still think it goes by owner of that home directory |
-=0)~ |
|
| Back to top |
|
|
etoczek
n00b
Joined: 25 Feb 2004
Posts: 3
Location: Earth
|
| Posted: Mon Apr 19, 2004 2:41 am Post subject: Unix-type Filesystems 101 |
|
|
Yeah, what was said above is true. All a file is really is a line in the directory file which matchs a name to an inode number.
So to delete a file all you're doing is removing the line in the directory file. Once that is done the link count on the inode is reduced by one. When the link count is at 0 it will be deleted durring the next cleanup cycle.
So to delete a file in most unix-type file systems all you need to do is have write permission on the directory. To change the contents of the file itself, that is when you get into the permissions on the file.
However if you do want the file to only be deleted by the owner you can change the permissions on the folder to add the sticky bit. if you do
| Code: | | chmod 1??? /home/user |
that will then set the sticky bit on the folder. Which will then make it so that only the owner of a file can remove the listing in the directory file.
With a long listing it will have the last permission as a t like so:
| Code: | | drwxrwxrwt 2 etoczek users 4096 Apr 5 14:05 temp |
(okay, back to lurking) |
|
| Back to top |
|
|
|
Networking & Security
