problem. user allowed to modify roots files in /home
If I run 'sudo touch /home/user1/tst', the user1 can remove file tst (even though root is owner, and others should be able to read it only). Please tell me, is that normal behaviour or security issue?
/home is on ext3. thanks. |
give sticky bit permission to the directory so that only owner can delete the files or directory itself.
also give 744 permission to the directory so that others and group will have read only permission over the directory. Code:
#chmod -R 1744 /home/user1/tst |
The user can remove a file root created if the user is in root's private group...
cat /etc/groups for more info.Or if the user has id of 0 cat /etc/passwd for details... |
well it says:
cat: /etc/groups: No such file or directory user1 is in sudoers, does that matter? id is 1000. |
Quote:
Code:
#cat /etc/group |
If user1 is a member of roots home then he can have access to roots files.
1.give root home this #chmod 744 4-read 2-write 1-execute |
hm, user1 is not in root's private group:
user1@debian:~$ cat /etc/group root:x:0: I am talking about the files created by root in home/user1 directory. user1 cannot modify/delete files in /etc/ or similar, but has full access to all files in its home (even those owned by root). |
root is default owner for all files and user is owner of its home directory
but you need to check the permission of the file which is created by root inside /home directory of user for eg: Code:
-rw-r--r-- 1 root root 0 Feb 8 18:19 test.txt only owner can make changes and not others |
yes, I've got exact same empty file, and if I try rm it as user1:
rm: remove write-protected regular empty file `tst'? after replying with 'y', it removes it! |
Quote:
In order to remove file user don't need any permissions to the file, but write permission to directory that this file in. |
Quote:
|
Quote:
|
agreed but it seems qrange didn't noticed my earlier post
But on the contrary leaving the OP apart sticky bit can be given to files as well:cool: |
Quote:
I.e., it was never root's file. (Others have noted the inheritance of ownership from the parent folder and this may be why it was never root's.) But to belabor the subject, for example if a user creates a text file Code:
echo "This is $USER" > test.txt Code:
echo "And this is ROOT" >> test.txt Code:
echo "And this is $USER again" >> test.txt In the original post all root did was "touch" a preexisting file and that does not change ownership. In short, yes. It's normal security. :-) |
@deep27ak
I had checked 'only owner can rename and delete folder content' for /home/user1 in krusader, presuming thats 'sticky bit'. there is no such option for files. @rainbowsally the file was not preexisting. it was created with sudo touch, and had root as owner. exact same thing happens if I use su instead. |
All times are GMT -5. The time now is 03:22 PM. |