| View previous topic :: View next topic |
| Author |
Message |
arkane
l33t
Joined: 30 Apr 2002
Posts: 918
Location: Phoenix, AZ
|
 Posted: Mon Oct 18, 2004 5:20 pm Post subject: Weird permission overrides |
 |
|
I feel kind of weird about asking because it makes sense in an "oh god no..." way, but none the less here goes.
I noticed that when a directory is owned by root, and has write in the group, a person in that group can change the ownership of a file to themselves even if the file is read-only to them. Is this normal??
Example:
mkdir /shared-files
chown root:root /shared-files
chmod 770 /shared-files
touch /shared-files/root-owned-file
chmod 740 shared-files/root-owned-file
chgrp users /shared-files/root-owned-file
chgrp users /shared-files/root-owned-file
ls -ald /shared-files
drwxrw---- 2 root users 4096 Oct 18 10:08 /shared-files/
ls -ald /shared-files/root-owned-file
-rw-r----- 1 root users 0 Oct 18 10:08 /shared-files/root-owned-file
(now, go to a normal user who should have the group 'users' by default)
cd /shared-files
vi root-owned-files
type something into the file, and do a force-write (:w!)
The file will be owned by the user, even though they didn't have permission to edit the file. Remember, the file had read-only permission.
I've tested this with SuSE, Gentoo, Redhat (7.2/8.0/AS2.1/AS3.0), and BSD....
It seems really odd considering there are times when you have a single folder writable by many people (shared folder), but each file owned by a single user.
Though the /etc and /tmp directory seem to be immune to this.
Is this a vulnerability? Well it IS a vulnerability, but is it an inherent vulnerability or a bug? |
|
| Back to top |
|
 |
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
| Posted: Mon Oct 18, 2004 5:48 pm Post subject: |
|
|
You want to have a look at what the sticky bit does in the chmod manpage. It is set on /tmp and you should also set it on other shared directories if you want only the file owner to be allowed to rename or delete the file.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
meathoz
n00b
Joined: 18 Jan 2004
Posts: 61
Location: Finland
|
| Posted: Mon Oct 18, 2004 5:49 pm Post subject: |
|
|
it's not a vulnerability nor a bug. and it makes perfectly sense too.
1. If one got writable permissions to a directory, one may modify its contents. that's deleting and adding files. (Deleting REGARDLESS who the file's owner is).
2. If one got readable permissions to a file, one may copy it's contents. (pretty obvious)
This makes, in your example, user reads the file's contents into memory, deletes file, creates a new one with the same contents and the same name. and of course becomes the owner of the new file.
/tmp directory is immune against this because it has the sticky(t)-bit set. The sticky bit set on a directory makes all its files only deletable by their owner. /tmp require this because everyone may place files there but also keep them private. |
|
| Back to top |
|
|
arkane
l33t
Joined: 30 Apr 2002
Posts: 918
Location: Phoenix, AZ
|
| Posted: Mon Oct 18, 2004 6:14 pm Post subject: |
|
|
man I remember when the sticky bit actually meant something different.
Okay, odd behavior but I guess to each their own  
Thanks guys. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20588
|
| Posted: Tue Oct 19, 2004 1:39 am Post subject: |
|
|
Moved from Other Things Gentoo.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
|
Networking & Security
