On 11/26/2010 02:24 PM, Christopher Howard wrote:
> So, I was messing around the other day, and found this rather wierd behavior in Linux:
>
> First, I go root, and cd to some public directory. I create a file with some text in it (we'll call it file0) with the new file of course being own by root.
>
> Next, I switch back to a regular user account. I cd to my /tmp directory, and use the ln command to create a new file (file1) in the /tmp directory that is a hard link to file0. The new file1, strangely enough, is not own by me, but is owned by root, although it does have "everyone" read permissions.
>
> Then, I go root again, and I delete file0. I switch back to my regular user, and discover that file1 still exists, and is still owned by root. I cannot delete it with my regular user account.
>
> So, in summary, as a non-root user, I have the ability to "create" (preserve?) files that I do not own and that I cannot delete.
>
What filesystem are you using? What distro?
Shouldn't be possible if your operating system is at all secure (doesn't run ln as setuid
root). You cannot modify (including create) files owned by root even if it's the same
inode as another file. In order not to sound like a dork I attempted the following on
XFS/JFS2/GFS2/NFS+EXT4/EXT4
spencersr@banzai:/tmp$ sudo touch woman
spencersr@banzai:/tmp$ ln woman man
ln: creating hard link `man' => `woman': Operation not permitted
Here.. running ln as setuid root gets things rocking :)
spencersr@banzai:/tmp$ sudo chmod u+s /bin/ln
spencersr@banzai:/tmp$ ln woman man
spencersr@banzai:/tmp$ ls -lai man woman
34857277 -rw-r--r-- 2 root root 0 2010-11-26 17:36 man
34857277 -rw-r--r-- 2 root root 0 2010-11-26 17:36 woman
- Shane
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Nov 26 17:45:30 2010
This archive was generated by hypermail 2.1.8 : Fri Nov 26 2010 - 17:45:30 AKST