> > It has only one problem if user knows about chmod and chown > > can change permissions of directory because is in his/her HOME > > (obviouslly owned by the user) but normally they don't know about > > this commands. > > Normal users can't change the ownership of a file, so even if they > know about chown, it doesn't do them any good here.
If they own their home dir, then they could change the ownership
of the file to them in a roundabout way
$ cd $HOME # go home
$ chmod u+w . # make sure I can write my home dir
$ cp file newfile # copy the file owned by someone else
$ rm file # I have +wx to my home dir, I can
# delete other people's files.
$ mv newfile file # rename it back
Also, note that on some unix-like operating systems you can use
chown itself to change a file you own to be owned by someone else.
This is commonly known as 'file givaways' and is a bad idea in
general (let's you get around quotas, for example.) Has nothing
to do with this thread, but thought I should bring it up. On
one of these unix-like systems, it would be possible to change the
ownership of one of your files to anybody, regardless of directory
perms, and to yourself or anybody else if you have write perms to
the directory using the example above.
Linux is not stupid enough to allow file givaways.
--
Brian Hatch Join the Army,
Systems and meet interesting
Security Engineer people, kill them.
http://www.ifokr.org/bri/
Every message PGP signed
pgp00000.pgp
Description: PGP signature
