Re: [newbie] normal user can delete root owned files!
Benjamin Pflugmann wrote: On Fri 2003-03-07 at 17:03:31 -, [EMAIL PROTECTED] wrote: Its all to do with the x. for a file it means the owner/group can execute that file. But for a directory, anybody in the group for that directory can delete any file in the root of that directory, even if the group permissions for that file say they can't. Sorry, but that is wrong. The x bit for directories is about being able access the content of a directory at all. The w bit determines whether you may delete (or create) files within a directory. And for completness' sake, the r bit controls whether you may list the content: # preparation newton:~ mkdir test newton:~ echo bar test/foo newton:~ ls -ld test drwxrwx---2 philemon philemon 4096 Mar 8 00:29 test newton:~ ls -l test total 4 -rw-rw1 philemon philemon4 Mar 8 00:29 foo # test what x does newton:~ chmod a-x test newton:~ ls test foo newton:~ cat test/foo cat: test/foo: Permission denied newton:~ cd test test: Permission denied. newton:~ touch test/foo2 touch: cannot touch `test/foo2': Permission denied newton:~ chmod a+x test # summary: lack of x forbids any access except accessing list of contents # test for w newton:~ chmod a-w test newton:~ ls test foo newton:~ cat test/foo bar newton:~ cd test newton:~/test cd .. newton:~ rm test/foo rm: cannot remove `test/foo': Permission denied newton:~ touch test/foo2 touch: cannot touch `test/foo2': Permission denied newton:~ echo wah test/foo2 test/foo2: Permission denied. newton:~ echo wah test/foo newton:~ cat test/foo wah newton:~ chmod a+w test # summary: lack of w forbids only deletion or creation of files, but # allows changing of existing ones # test for r newton:~ chmod a-r test newton:~ ls test ls: test: Permission denied newton:~ cat test/foo wah newton:~ cd test newton:~/test cd .. newton:~ touch test/foo2 newton:~ chmod a+r test newton:~ rm -rf test # summary: lack of r forbids listing the directories content, but # direct access to content still works If you think about a directory as being a list of files and the permissions working on that, at least the r and w behaviour is intuitive at once: r tells if you are allowed to read the list of files (but nothing about accessing the files themselves); w tells if you are allowed to write to the list (creating/deleting files would change the list, but changing the content of existing files would not); and x can be thought of really being about what is contained in the directory, not the list of files (therefore looking at the list is still allowed, but nothing else). Thanks to Benjamin for putting that one to rest. Being the chivalrous person I am, I never respond to queries with RTFM, but I do think man chmod is a very valuable document which contains pearls of wisdom, e.g. The letters `rwxXstugo' select the new permissions for the affected users: read (r), write (w), execute **(or access for directories)* (x), execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), sticky (t), the permissions granted to the user who owns the file (u), the permissions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding categories (o). man ls and man rm a pretty good, too ;-) Sir Robin -- The raisins may be the best part of a cake, but that doesn't mean that a bag of raisins is better than a cake. - Wittgenstein Robin Turner IDMYO Bilkent Univeritesi Ankara 06533 Turkey www.bilkent.edu.tr/~robin Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Sat, 2003-03-08 at 22:47, robin wrote: man ls and man rm a pretty good, too ;-) Sir Robin [EMAIL PROTECTED] root]# man woman No manual entry for woman [EMAIL PROTECTED] root]# man sense No manual entry for sense [EMAIL PROTECTED] root]# man brains No manual entry for brains -- Sun, 9 Mar 2003 06:50:00 +1100 6:50am up 19:54, 5 users, load average: 0.64, 0.37, 0.25 -- |____ | kuhn media australia| | / ,, /| |'-. | http://kma.0catch.com | | .\__/ || | | |=| | _ / `._ \|_|_.-' | stephen kuhn| | | / \__.`=._) (_ | email: [EMAIL PROTECTED] | | |/ ._/ || | email: [EMAIL PROTECTED]| | |'. `\ | | |icq: 5483808 | | ;/ / | | | | | smk ) /_/| |.---.| | mobile: 0410-728-389| | ' `-`' | Berkeley, New South Wales, AU | || | linux user:267497 * RH 7.3/8.1 * Mandrake 9.1 * Microsoft Free | | PC/Mac/Linux/Networking/Web/Graphics/Consulting | -- When the Universe was not so out of whack as it is today, and all the stars were lined up in their proper places, you could easily count them from left to right, or top to bottom, and the larger and bluer ones were set apart, and the smaller yellowing types pushed off to the corners as bodies of a lower grade ... -- Stanislaw Lem, Cyberiad Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Sat, 08 Mar 2003 04:15, Todd Slater wrote: On Fri, Mar 07, 2003 at 02:38:20PM +, Anne Wilson wrote: On Thursday 06 Mar 2003 2:26 am, cervixcouch wrote: On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? i just tried it on my system and the same thing happens. Hadn't noticed before that I could delete a root-owned file if it was in my home directory. very curious... Why would you want something in your home directory that you couldn't delete? I'm not being obtuse - is there any reason you can think of that would make root place a file in your home directory but not want you to be able to delete it? Anne Just as an extra measure of security--something to protect me from myself :) Sometimes I do iso images in my ~/ as root. I'd prefer to switch to root to delete these. Todd Then disabling your write permission is your alternative. That way you need not invoke nasty old tricksy root, my precious. (Sorry, Tolkien overload) $ chmod -w my_file_name This ensures no-one can write or erase the file. Usually i would use octal but in this instance this syntax is shorter. -- Michael Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Friday 07 March 2003 08:28 am, Raffaele Belardi wrote: nope, the same happens with non empty files! It has to be because it is in your home directory then. Even though the file is owned by root, it is fully manipulateable (is that a word) by the user that owns the specific ~/. Does that sound like a possibility? -- Greg Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? raffaele [EMAIL PROTECTED] wrote: On Friday 07 March 2003 08:28 am, Raffaele Belardi wrote: It has to be because it is in your home directory then. Even though the file is owned by root, it is fully manipulateable (is that a word) by the user that owns the specific ~/. Does that sound like a possibility? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
Yes, it is the same on my system as I could not open Kmail after moving some things around yesterday. The cause was ownership had changed to root and user did not have permissions in this case. It was in user's home directory as well. Brian On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? raffaele [EMAIL PROTECTED] wrote: On Friday 07 March 2003 08:28 am, Raffaele Belardi wrote: It has to be because it is in your home directory then. Even though the file is owned by root, it is fully manipulateable (is that a word) by the user that owns the specific ~/. Does that sound like a possibility? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? i just tried it on my system and the same thing happens. Hadn't noticed before that I could delete a root-owned file if it was in my home directory. very curious... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Thursday 06 Mar 2003 2:26 am, cervixcouch wrote: On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? i just tried it on my system and the same thing happens. Hadn't noticed before that I could delete a root-owned file if it was in my home directory. very curious... Why would you want something in your home directory that you couldn't delete? I'm not being obtuse - is there any reason you can think of that would make root place a file in your home directory but not want you to be able to delete it? Anne -- Registered Linux User No.293302 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Fri, 2003-03-07 at 10:38, Anne Wilson wrote: Why would you want something in your home directory that you couldn't delete? I'm not being obtuse - is there any reason you can think of that would make root place a file in your home directory but not want you to be able to delete it? Anne Communism? :-) -- __ / \\ @ __ __@ Adolfo Bello [EMAIL PROTECTED] / // // /\ / \\ // \ // Bello Ingenieria S.A, ICQ: 65910258 / \\ // / \\ / // // / //cel: +58 416 609-6213 /___// // / _/ \__\\ //__/ // fax: +58 212 952-6797 www.bisapi.com //pager: www.tun-tun.com (# 609-6213) Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Friday 07 March 2003 09:38 am, Anne Wilson wrote: On Thursday 06 Mar 2003 2:26 am, cervixcouch wrote: On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? i just tried it on my system and the same thing happens. Hadn't noticed before that I could delete a root-owned file if it was in my home directory. very curious... Why would you want something in your home directory that you couldn't delete? I'm not being obtuse - is there any reason you can think of that would make root place a file in your home directory but not want you to be able to delete it? Anne Maybe if a sys/net admin wanted to push out a screen saver or have a systems-related feature run on all computers and not allow the end-users to tamper with it.? Just a guessling... Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Friday 07 March 2003 04:03 am, you wrote: I am running MDK9.0 with msec 3, vanilla kernel. I just noticed that, as a normal user, I am able to delete root-owned files (with -rw-r--r-- rights). I don't know when it started, I am almost sure it was not this way last time I tried. Does anybody have a similar issue? The permission to delete a file depends on the permissions on the directory the file lives in, not on the permissions on the file itself. Just as you can link a file that you don't have read permissions to into a directory you have write permissions in you can also unlink it from that directory. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Fri, Mar 07, 2003 at 02:38:20PM +, Anne Wilson wrote: On Thursday 06 Mar 2003 2:26 am, cervixcouch wrote: On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? i just tried it on my system and the same thing happens. Hadn't noticed before that I could delete a root-owned file if it was in my home directory. very curious... Why would you want something in your home directory that you couldn't delete? I'm not being obtuse - is there any reason you can think of that would make root place a file in your home directory but not want you to be able to delete it? Anne Just as an extra measure of security--something to protect me from myself :) Sometimes I do iso images in my ~/ as root. I'd prefer to switch to root to delete these. Todd Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Wednesday 05 March 2003 09:54 pm, cervixcouch wrote: On Friday 07 March 2003 09:38 am, Anne Wilson wrote: On Thursday 06 Mar 2003 2:26 am, cervixcouch wrote: On Friday 07 March 2003 09:09 am, Raffaele Belardi wrote: You are right, from directories other than the /home/belardi it cannot be deleted (I tried '/' '/etc' '/home'). But still, I think that some time ago I tried to delete a root file from my home, and had to su to manage. On everybody else's system its' the same? i just tried it on my system and the same thing happens. Hadn't noticed before that I could delete a root-owned file if it was in my home directory. very curious... Why would you want something in your home directory that you couldn't delete? I'm not being obtuse - is there any reason you can think of that would make root place a file in your home directory but not want you to be able to delete it? Anne Maybe if a sys/net admin wanted to push out a screen saver or have a systems-related feature run on all computers and not allow the end-users to tamper with it.? Just a guessling... I don't think so, if it was to run on all computers, you sure would not place it un user space the only reason I cna think of is to prevent a user for deleteing a folder that needs to be in the users folders for some custom application Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
This is a good explanation, thanks! After your comment I checked man chmod, I guess the explanation below is what you are referring to: STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable. How many things still to learn... raffaele [EMAIL PROTECTED] wrote: On Friday 07 March 2003 04:03 am, you wrote: I am running MDK9.0 with msec 3, vanilla kernel. I just noticed that, as a normal user, I am able to delete root-owned files (with -rw-r--r-- rights). I don't know when it started, I am almost sure it was not this way last time I tried. Does anybody have a similar issue? The permission to delete a file depends on the permissions on the directory the file lives in, not on the permissions on the file itself. Just as you can link a file that you don't have read permissions to into a directory you have write permissions in you can also unlink it from that directory. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Friday 07 March 2003 08:27 am, you wrote: This is a good explanation, thanks! After your comment I checked man chmod, I guess the explanation below is what you are referring to: STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable. No, that's a way around a particular permissions problem. The problem comes up in a couple of ways, the simple one here where multiple people have write access to a common directory. Having the ability to create a file in a directory means that you also have the ability to remove a file (properly, the link to the inode) from that directory - thus *anyone's* files. The 'sticky bit' (properly the 'set user id on execute' or 'set groupd id on execute' function didn't have a use on a directory, since it's not directly executable (and the execute bit is already used for 'ability to search') so the BSD folks set this up some years ago and it migrated into Linux. Where this is particularly handy is in the mail directories - common areas where you want to manage your files but not let others read or delete them, unless they're a member of the mail group. File permissions and handling are critical to a number of applications and the very best reason to never, ever, run with root permissions as a regular user. I used to run into that all the time - folks would get tired of permission issues and start running printer demons as root and get all screwed up because there it blew away the printer and queue arbitration as it used the creation of read-only files as an atomic semaphore (the only one available in NFS). Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] normal user can delete root owned files!
Its all to do with the x. for a file it means the owner/group can execute that file. But for a directory, anybody in the group for that directory can delete any file in the root of that directory, even if the group permissions for that file say they can't. now if a member of that group created a folder in the root of that folder, then only they could get access to that folder, because that folder would then have the owner as the group, unless that is you use force group = whatever in samb.conf. Just as a side line, if you do use force group = whatever, and users create a folder in that folder, and you have say force create = 750. then even if they are not a Unix / Linux member of that group, they can go look in anybody else's folder, but they can't delete anything or place anything in that other persons folder ( using 750 ). But they can copy any file that is not theirs over to their folder and the copied file will have their permissions. ken -Original Message- From: Raffaele Belardi [mailto:[EMAIL PROTECTED] Sent: 07 March 2003 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] normal user can delete root owned files! This is a good explanation, thanks! After your comment I checked man chmod, I guess the explanation below is what you are referring to: STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may be unlinked or renamed only by root or their owner. Without the sticky bit, anyone able to write to the directory can delete or rename files. The sticky bit is commonly found on directories, such as /tmp, that are world-writable. How many things still to learn... raffaele [EMAIL PROTECTED] wrote: On Friday 07 March 2003 04:03 am, you wrote: I am running MDK9.0 with msec 3, vanilla kernel. I just noticed that, as a normal user, I am able to delete root-owned files (with -rw-r--r-- rights). I don't know when it started, I am almost sure it was not this way last time I tried. Does anybody have a similar issue? The permission to delete a file depends on the permissions on the directory the file lives in, not on the permissions on the file itself. Just as you can link a file that you don't have read permissions to into a directory you have write permissions in you can also unlink it from that directory. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Friday 07 March 2003 04:04 am, Greg Meyer wrote: On Friday 07 March 2003 06:03 am, Raffaele Belardi wrote: I am running MDK9.0 with msec 3, vanilla kernel. I just noticed that, as a normal user, I am able to delete root-owned files (with -rw-r--r-- rights). I don't know when it started, I am almost sure it was not this way last time I tried. Does anybody have a similar issue? Here's the command sequence. User 'belardi' belongs to groups 'belardi' and 'users'. [EMAIL PROTECTED] belardi]$ su Password: [EMAIL PROTECTED] belardi]# touch test.txt [EMAIL PROTECTED] belardi]# ll total 16 drwxr--r-- 16 belardi belardi 4096 Feb 27 15:55 documents/ drwxr--r--8 belardi belardi 4096 Jul 3 2002 ffjuser30/ lrwxrwxrwx1 belardi belardi 8 Dec 10 19:22 mp3 - /var/mp3/ drwxr--r--8 belardi belardi 4096 Mar 7 11:17 projects/ -rw-r--r--1 root root0 Mar 7 11:52 test.txt drwxr--r--6 belardi belardi 4096 Mar 6 15:39 tmp/ [EMAIL PROTECTED] belardi]# exit exit [EMAIL PROTECTED] belardi]$ rm test.txt rm: remove write-protected regular empty file `test.txt'? y [EMAIL PROTECTED] belardi]$ ll total 16 drwxr--r-- 16 belardi belardi 4096 Feb 27 15:55 documents/ drwxr--r--8 belardi belardi 4096 Jul 3 2002 ffjuser30/ lrwxrwxrwx1 belardi belardi 8 Dec 10 19:22 mp3 - /var/mp3/ drwxr--r--8 belardi belardi 4096 Mar 7 11:17 projects/ drwxr--r--6 belardi belardi 4096 Mar 6 15:39 tmp/ thanks, raffaele Is it because it is an empty file in your home directory? Did you try it with a file that had something in it? [EMAIL PROTECTED] tester]$ mkdir clean [EMAIL PROTECTED] tester]$ cd clean [EMAIL PROTECTED] clean]$ echo 1 test.txt [EMAIL PROTECTED] clean]$ su Password: [EMAIL PROTECTED] clean]# echo 1 testr.txt [EMAIL PROTECTED] clean]# ll total 8 -rw-r--r--1 root root2 Mar 7 08:29 testr.txt -rw-r--r--1 tester tester 2 Mar 7 08:28 test.txt [EMAIL PROTECTED] clean]# exit exit [EMAIL PROTECTED] clean]$ rm testr.txt rm: remove write-protected regular file `testr.txt'? y [EMAIL PROTECTED] clean]$ ll total 4 -rw-r--r--1 tester tester 2 Mar 7 08:28 test.txt [EMAIL PROTECTED] clean]$ No it is not because ithad something in it The fact is that files in YOUR home directory belong to you, the user, and you can chown chmod and delete them as you choose. [EMAIL PROTECTED] clean]$ su Password: [EMAIL PROTECTED] clean]# mkdir -p /home/george [EMAIL PROTECTED] clean]# cd /home/george [EMAIL PROTECTED] george]# echo 1 testr.txt [EMAIL PROTECTED] george]# exit exit [EMAIL PROTECTED] clean]$ cd /home/george [EMAIL PROTECTED] george]$ rm testr.txt rm: remove write-protected regular file `testr.txt'? y rm: cannot remove `testr.txt': Permission denied [EMAIL PROTECTED] george]$ This is normal operation!!! Civileme Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] normal user can delete root owned files!
On Fri 2003-03-07 at 17:03:31 -, [EMAIL PROTECTED] wrote: Its all to do with the x. for a file it means the owner/group can execute that file. But for a directory, anybody in the group for that directory can delete any file in the root of that directory, even if the group permissions for that file say they can't. Sorry, but that is wrong. The x bit for directories is about being able access the content of a directory at all. The w bit determines whether you may delete (or create) files within a directory. And for completness' sake, the r bit controls whether you may list the content: # preparation newton:~ mkdir test newton:~ echo bar test/foo newton:~ ls -ld test drwxrwx---2 philemon philemon 4096 Mar 8 00:29 test newton:~ ls -l test total 4 -rw-rw1 philemon philemon4 Mar 8 00:29 foo # test what x does newton:~ chmod a-x test newton:~ ls test foo newton:~ cat test/foo cat: test/foo: Permission denied newton:~ cd test test: Permission denied. newton:~ touch test/foo2 touch: cannot touch `test/foo2': Permission denied newton:~ chmod a+x test # summary: lack of x forbids any access except accessing list of contents # test for w newton:~ chmod a-w test newton:~ ls test foo newton:~ cat test/foo bar newton:~ cd test newton:~/test cd .. newton:~ rm test/foo rm: cannot remove `test/foo': Permission denied newton:~ touch test/foo2 touch: cannot touch `test/foo2': Permission denied newton:~ echo wah test/foo2 test/foo2: Permission denied. newton:~ echo wah test/foo newton:~ cat test/foo wah newton:~ chmod a+w test # summary: lack of w forbids only deletion or creation of files, but # allows changing of existing ones # test for r newton:~ chmod a-r test newton:~ ls test ls: test: Permission denied newton:~ cat test/foo wah newton:~ cd test newton:~/test cd .. newton:~ touch test/foo2 newton:~ chmod a+r test newton:~ rm -rf test # summary: lack of r forbids listing the directories content, but # direct access to content still works If you think about a directory as being a list of files and the permissions working on that, at least the r and w behaviour is intuitive at once: r tells if you are allowed to read the list of files (but nothing about accessing the files themselves); w tells if you are allowed to write to the list (creating/deleting files would change the list, but changing the content of existing files would not); and x can be thought of really being about what is contained in the directory, not the list of files (therefore looking at the list is still allowed, but nothing else). HTH, Benjamin. PS: I did approach the issue from the side of what happens if I take away that bit. Doing the tests when only one is set is left as an excersise for the reader. ;-) pgp0.pgp Description: PGP signature
