If I run 'sudo touch /home/user1/tst', the user1 can remove file tst (even though root is owner, and others should be able to read it only). Please tell me, is that normal behaviour or security issue?
/home is on ext3.

thanks.

give sticky bit permission to the directory so that only owner can delete the files or directory itself.

also give 744 permission to the directory so that others and group will have read only permission over the directory.

2 members found this post helpful.

The user can remove a file root created if the user is in root's private group...

cat /etc/groups

for more info.Or if the user has id of 0

cat /etc/passwd for details...

1 members found this post helpful.

well it says:
cat: /etc/groups: No such file or directory

user1 is in sudoers, does that matter?
id is 1000.

If user1 is a member of roots home then he can have access to roots files.
1.give root home this

#chmod 744

4-read
2-write
1-execute

hm, user1 is not in root's private group:
user1@debian:~$ cat /etc/group
root:x:0:

I am talking about the files created by root in home/user1 directory.
user1 cannot modify/delete files in /etc/ or similar, but has full access to all files in its home (even those owned by root).

root is default owner for all files and user is owner of its home directory

but you need to check the permission of the file which is created by root inside /home directory of user
for eg:
The file is inside user's home dir and is owned by root so user will not be able to make any changes because the permission is 644
only owner can make changes and not others

yes, I've got exact same empty file, and if I try rm it as user1:
rm: remove write-protected regular empty file `tst'?

after replying with 'y', it removes it!

Yes this behaviour is quite normal.
In order to remove file user don't need any permissions to the file, but write permission to directory that this file in.

1 members found this post helpful.

did you applied sticky bit to that file?

Sticky bit should be applied not to the file, but to it's parent directory, as yourself said in the one of previous ports

agreed but it seems qrange didn't noticed my earlier post

But on the contrary leaving the OP apart sticky bit can be given to files as well

It looks to me like USER created the file so root's 'touch' would only modify the access time.

I.e., it was never root's file. (Others have noted the inheritance of ownership from the parent folder and this may be why it was never root's.)

But to belabor the subject, for example if a user creates a text file
then as root or sudo or whatever does this...
User can still add another line:
and USER can delete the file when no longer needed.

In the original post all root did was "touch" a preexisting file and that does not change ownership.

In short, yes. It's normal security. :-)

@deep27ak
I had checked 'only owner can rename and delete folder content' for /home/user1 in krusader, presuming thats 'sticky bit'.
there is no such option for files.
@rainbowsally
the file was not preexisting. it was created with sudo touch, and had root as owner. exact same thing happens if I use su instead.