LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Why user can override the ACL file (http://www.linuxquestions.org/questions/linux-general-1/why-user-can-override-the-acl-file-4175460024/)

Ashish Sood 04-29-2013 11:52 AM

Why user can override the ACL file
 
Hi,

Today i was practicing ACL and gave read permission to user on the file that simple mean the user can not write inside the file, But the picture was different after that i login from the user to write in the file after entering in the insert mode i got a warning message "read only file can not write into it, to write user ! to override " and i used wq! after that the file will be saved with my content and now the owner and group of the file will the user not root.

What is this is the security flaw of ACL.

acid_kewpie 04-29-2013 01:21 PM

Is this ext3 acls? ACL's appear in LOADS of places, please clarify.

Assuming it is ext3 though, then the owner of a file can change the rights of that file. So if the user could change a file to make it writable, vi will do it for you, as there's no security model to stop you doing it the long way round anyway.

rknichols 04-29-2013 10:35 PM

If the user has write permission in the directory, then the user can simple delete the existing file and create a new one with the same name. That's the way most editors update a file anyway (create a new file with a temporary name and then, after the writing is successful, rename it to replace the existing file), and the warning about a read-only file is just that, a warning.

Ashish Sood 04-30-2013 05:02 AM

Thanks alot for this detailed information earlier i had misunderstand, now its clear to me :)

sundialsvcs 05-04-2013 08:38 AM

This also emphasizes a very important point: don't assume.

Do log on as that other user, and do attempt to do what you intend for him to be unable to do, and confirm not only that it does not succeed but that the messages given are appropriate (and, if any logging should have occurred, that it actually did.)


All times are GMT -5. The time now is 03:12 AM.