Hello,
Could anyone verify this "bug" I ran into, please? I don't know for sure if it
is the new kernel, or any combination of various packages (pam, rm, mv...).
Thanks,
Jimmy
###-----
Software version:
kernel 3.14.5
Debian sid
Problem description: With normal/common file permission usage, in a directory
owned by non-root user, the user can rename or delete root-owned files using:
/bin/mv
/bin/rm
Within such directory, that non-root user can also
/bin/rm, or /bin/mv an empty root-owned subdirectory
/bin/mv a subdirectory owned by root
but prevented from moving or deleting the files within such subdirectory
###-----
Some tests:
As user 'tst1':
$ mkdir -p /tmp/testing/
$ ls -altr /tmp | grep testing
drwxr-xr-x 2 tst1 tst1 4096 Jun 5 13:48 testing
As root, create some files and subdirectory in the above directory:
# echo "1 2 3 4 5" > /tmp/testing/test1.txt
# ls -altr /tmp/testing/
total 12
drwxrwxrwt 14 root root 4096 Jun 5 13:48 ..
-rw-r--r-- 1 root root 10 Jun 5 13:49 test1.txt
drwxr-xr-x 2 tst1 tst1 4096 Jun 5 13:49 .
# mkdir -p /tmp/testing/test.mvrmBug/
# ls -altr /tmp/testing/
total 16
drwxrwxrwt 14 root root 4096 Jun 5 13:48 ..
-rw-r--r-- 1 root root 10 Jun 5 13:49 test1.txt
drwxr-xr-x 2 root root 4096 Jun 5 13:50 test.mvrmBug
drwxr-xr-x 3 tst1 tst1 4096 Jun 5 13:50 .
# echo "a b c d e" > /tmp/testing/test.mvrmBug/test2.txt
# ls -altr /tmp/testing/test.mvrmBug/
total 12
drwxr-xr-x 3 tst1 tst1 4096 Jun 5 13:50 ..
-rw-r--r-- 1 root root 10 Jun 5 13:51 test2.txt
drwxr-xr-x 2 root root 4096 Jun 5 13:51 .
# mkdir -p /tmp/testing/test.mvrmEmptySubdir/
# ls -altr /tmp/testing/
total 20
drwxrwxrwt 14 root root 4096 Jun 5 13:48 ..
-rw-r--r-- 1 root root 10 Jun 5 13:49 test1.txt
drwxr-xr-x 2 root root 4096 Jun 5 13:51 test.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 13:52 .
As the original user 'tst1':
$ ls -altr /tmp/ | grep testing
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 13:52 testing
$ ls -altr /tmp/testing/
total 20
drwxrwxrwt 14 root root 4096 Jun 5 13:48 ..
-rw-r--r-- 1 root root 10 Jun 5 13:49 test1.txt
drwxr-xr-x 2 root root 4096 Jun 5 13:51 test.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 13:52 .
// --- rename (move) a file owned by root, should not be allowed, but is
allowed:
$ mv -v /tmp/testing/test1.txt /tmp/testing/junk1.txt
‘/tmp/testing/test1.txt’ -> ‘/tmp/testing/junk1.txt’
$ ls -altr /tmp/testing/
total 20
drwxrwxrwt 14 root root 4096 Jun 5 13:48 ..
-rw-r--r-- 1 root root 10 Jun 5 13:49 junk1.txt
drwxr-xr-x 2 root root 4096 Jun 5 13:51 test.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 13:53 .
$ mv -v /tmp/testing/junk1.txt /tmp/testing/newjunk1.txt
‘/tmp/testing/junk1.txt’ -> ‘/tmp/testing/newjunk1.txt’
$ ls -altr /tmp/testing/
total 20
-rw-r--r-- 1 root root 10 Jun 5 13:49 newjunk1.txt
drwxr-xr-x 2 root root 4096 Jun 5 13:51 test.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun 5 13:55 ..
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 13:55 .
// --- remove (delete) a file owned by root, should not be allowed, but is
allowed. Here, it says the file is 'read-only' so it warns about it, but of
course "rm -f " would work, too:
$ rm -v /tmp/testing/newjunk1.txt
rm: remove write-protected regular file ‘/tmp/testing/newjunk1.txt’? y
removed ‘/tmp/testing/newjunk1.txt’
$ ls -altr /tmp/testing/
total 16
drwxr-xr-x 2 root root 4096 Jun 5 13:51 test.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun 5 13:55 ..
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 13:57 .
// --- rename (move) a subdirectory owned by root, should not be allowed,
but is allowed:
$ mv -v /tmp/testing/test.mvrmBug /tmp/testing/try.mvrmBug
‘/tmp/testing/test.mvrmBug’ -> ‘/tmp/testing/try.mvrmBug’
$ ls -altr /tmp/testing/
total 16
drwxr-xr-x 2 root root 4096 Jun 5 13:51 try.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun 5 13:55 ..
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 14:00 .
$ mv -v /tmp/testing/try.mvrmBug /tmp/testing/squash.mvrmBug
‘/tmp/testing/try.mvrmBug’ -> ‘/tmp/testing/squash.mvrmBug’
$ ls -altr /tmp/testing/
total 16
drwxr-xr-x 2 root root 4096 Jun 5 13:51 squash.mvrmBug
drwxr-xr-x 2 root root 4096 Jun 5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun 5 13:55 ..
drwxr-xr-x 4 tst1 tst1 4096 Jun 5 14:01 .
// --- can delete (rmdir, rm -fR, rm -fr) an empty subdirectory, did not
even prompt for confirmation, should not be allowed:
$ rmdir -v /tmp/testing/test.mvrmEmptySubdir/
rmdir: removing directory, ‘/tmp/testing/test.mvrmEmptySubdir/’
$ ls -altr /tmp/testing/
total 12
drwxr-xr-x 2 root root 4096 Jun 5 13:51 squash.mvrmBug
drwxrwxrwt 14 root root 4096 Jun 5 14:03 ..
drwxr-xr-x 3 tst1 tst1 4096 Jun 5 14:03 .
// --- at least, cannot remove, or reach inside a not-empty subdirectory
owned by root, thank goodness:
$ rm -fR /tmp/testing/squash.mvrmBug
rm: cannot remove ‘/tmp/testing/squash.mvrmBug/test2.txt’: Permission denied
$ ls -altr /tmp/testing/
total 12
drwxr-xr-x 2 root root 4096 Jun 5 13:51 squash.mvrmBug
drwxrwxrwt 14 root root 4096 Jun 5 14:03 ..
drwxr-xr-x 3 tst1 tst1 4096 Jun 5 14:03 .
###-----
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/1402015161.55498.yahoomailba...@web162905.mail.bf1.yahoo.com