query with file permissions

iinfi · 12-31-2008, 12:17 PM

hi all,

i have a simple query with how file permissions are implemented.

here is how it goes.
1. As a root user i created two users u1 and u2
2. created a /share folder on root directory and gave 777 permission to it.
3. logged into u1 and created a file t1
4. logged into u2 and created a file t2
5. logged back into root and did a chmod 600 to the files in /share drive
6. now when i log into u1 and edit file t2 (which has owner u2:u2) it allows me to force edit the file even though the file doesnt have permissions for the user to edit it
the code is below. am i missing anything here?

Code:

[root@localhost ~]# useradd u1
[root@localhost ~]# useradd u2
[root@localhost ~]# mkdir /share
[root@localhost ~]#  ls -l / | grep share
drwxr-xr-x   2 root root  4096 Dec 30 16:00 share
[root@localhost ~]# chmod 777 /share/
[root@localhost ~]# su u1
[u1@localhost root]$ cd /share/
[u1@localhost share]$ touch t1
[u1@localhost share]$ ls -l
total 4
-rw-rw-r-- 1 u1 u1 0 Dec 30 16:04 t1
[u1@localhost share]$ vi t1 
[u1@localhost share]$ su
Password: 
[root@localhost share]# cat t1 
this is u1
[root@localhost share]# su u2
[u2@localhost share]$ cd /share/
[u2@localhost share]$ touch t2
[u2@localhost share]$ ls -l
total 12
-rw-rw-r-- 1 u1 u1 11 Dec 30 16:05 t1
-rw-rw-r-- 1 u2 u2  0 Dec 30 16:05 t2
[u2@localhost share]$ su 
Password: 
[root@localhost share]# chmod 600 *
[root@localhost share]# ls -l
total 12
-rw------- 1 u1 u1 11 Dec 30 16:05 t1
-rw------- 1 u2 u2  0 Dec 30 16:05 t2
[root@localhost share]# su u2
[u2@localhost share]$ vi t1
[u2@localhost share]$ cat t1
this is u2
[u2@localhost share]$ ls -l
total 12
-rw------- 1 u2 u2 11 Dec 30 16:09 t1
-rw------- 1 u2 u2  0 Dec 30 16:05 t2
[u2@localhost share]$

rajeshkerala · 12-31-2008, 03:39 PM

What u said is true...Its allowing to force write!

Telemachos · 12-31-2008, 04:18 PM

This always surprises people. The problem is the permissions of the directory. Whether or not a specific user can edit a given file has to do with the permissions of the directory, even more than the permissions of the file. See here for more information: http://www.albany.edu/faculty/gms/ho...rmissions.html

iinfi · 01-01-2009, 02:35 AM

thanks for your reply. i still didnt fully understand this file permissions.
well, in my scenario, if i wanted that the second user sud not view/modify the files of the first user, then i sud use uid n sticky bit.
i.e
chmod 5600 t1

am i rite?

jschiwal · 01-01-2009, 02:50 AM

What vim did is replace the old file with the new one by the same name. The file you were left with was a new file owned by u2 and not u1. Deleting a file writes to the directory and not to the file itself. This is why the ownership and permissions on the file did not protect it. It could have been owned by root.

System directories such as /etc/ don't allow "others" to write, so they can't do this.

If you create a directory to use as a samba share that anyone can write to, you want to set the sticky bit on it as well.
sudo mkdir /srv/samba/public/
sudo chmod ugo=rwxt /srv/samba/public

---

One thing you might want to use is the `-d' option to ls. That makes it easy to look at the permissions of a directory. So instead of using "ls -l / | grep share", use "ls -ld /share".

iinfi · 01-01-2009, 05:11 AM

awesome .... thank you so much. now i get it. have a gr8 2009