Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
02-07-2012, 08:26 AM
|
#1
|
Senior Member
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian stable/testing, amd64
Posts: 1,067
Rep:
|
problem. user allowed to modify roots files in /home
If I run 'sudo touch /home/user1/tst', the user1 can remove file tst (even though root is owner, and others should be able to read it only). Please tell me, is that normal behaviour or security issue?
/home is on ext3.
thanks.
|
|
|
Click here to see the post LQ members have rated as the most helpful post in this thread.
|
02-07-2012, 08:34 AM
|
#2
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: RHEL 7.x, SLES 11 SP2/3/4
Posts: 1,195
|
give sticky bit permission to the directory so that only owner can delete the files or directory itself.
also give 744 permission to the directory so that others and group will have read only permission over the directory.
Code:
#chmod -R 1744 /home/user1/tst
|
|
2 members found this post helpful.
|
02-07-2012, 08:39 AM
|
#3
|
Member
Registered: Jul 2009
Posts: 645
Rep:
|
The user can remove a file root created if the user is in root's private group...
cat /etc/groups
for more info.Or if the user has id of 0
cat /etc/passwd for details...
|
|
1 members found this post helpful.
|
02-07-2012, 09:10 AM
|
#4
|
Senior Member
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian stable/testing, amd64
Posts: 1,067
Original Poster
Rep:
|
well it says:
cat: /etc/groups: No such file or directory
user1 is in sudoers, does that matter?
id is 1000.
|
|
|
02-07-2012, 09:16 AM
|
#5
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: RHEL 7.x, SLES 11 SP2/3/4
Posts: 1,195
|
Quote:
Originally Posted by qrange
well it says:
cat: /etc/groups: No such file or directory
user1 is in sudoers, does that matter?
id is 1000.
|
|
|
|
02-07-2012, 05:08 PM
|
#6
|
Member
Registered: Sep 2011
Distribution: fedora, redhat, mint
Posts: 87
Rep:
|
If user1 is a member of roots home then he can have access to roots files.
1.give root home this
#chmod 744
4-read
2-write
1-execute
|
|
|
02-08-2012, 02:11 AM
|
#7
|
Senior Member
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian stable/testing, amd64
Posts: 1,067
Original Poster
Rep:
|
hm, user1 is not in root's private group:
user1@debian:~$ cat /etc/group
root:x:0:
I am talking about the files created by root in home/user1 directory.
user1 cannot modify/delete files in /etc/ or similar, but has full access to all files in its home (even those owned by root).
|
|
|
02-08-2012, 02:20 AM
|
#8
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: RHEL 7.x, SLES 11 SP2/3/4
Posts: 1,195
|
root is default owner for all files and user is owner of its home directory
but you need to check the permission of the file which is created by root inside /home directory of user
for eg:
Code:
-rw-r--r-- 1 root root 0 Feb 8 18:19 test.txt
The file is inside user's home dir and is owned by root so user will not be able to make any changes because the permission is 644
only owner can make changes and not others
|
|
|
02-08-2012, 02:36 AM
|
#9
|
Senior Member
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian stable/testing, amd64
Posts: 1,067
Original Poster
Rep:
|
yes, I've got exact same empty file, and if I try rm it as user1:
rm: remove write-protected regular empty file `tst'?
after replying with 'y', it removes it!
|
|
|
02-08-2012, 03:06 AM
|
#10
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by qrange
If I run 'sudo touch /home/user1/tst', the user1 can remove file tst (even though root is owner, and others should be able to read it only). Please tell me, is that normal behaviour or security issue?
/home is on ext3.
thanks.
|
Yes this behaviour is quite normal.
In order to remove file user don't need any permissions to the file, but write permission to directory that this file in.
|
|
1 members found this post helpful.
|
02-08-2012, 03:17 AM
|
#11
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: RHEL 7.x, SLES 11 SP2/3/4
Posts: 1,195
|
Quote:
Originally Posted by qrange
yes, I've got exact same empty file, and if I try rm it as user1:
rm: remove write-protected regular empty file `tst'?
after replying with 'y', it removes it!
|
did you applied sticky bit to that file?
|
|
|
02-08-2012, 03:38 AM
|
#12
|
ELF Statifier author
Registered: Oct 2007
Posts: 676
Rep:
|
Quote:
Originally Posted by deep27ak
did you applied sticky bit to that file?
|
Sticky bit should be applied not to the file, but to it's parent directory, as yourself said in the one of previous ports
|
|
|
02-08-2012, 03:42 AM
|
#13
|
Senior Member
Registered: Aug 2011
Location: Bangalore, India
Distribution: RHEL 7.x, SLES 11 SP2/3/4
Posts: 1,195
|
agreed but it seems qrange didn't noticed my earlier post
But on the contrary leaving the OP apart sticky bit can be given to files as well
|
|
|
02-08-2012, 04:04 AM
|
#14
|
Member
Registered: Oct 2011
Posts: 47
Rep:
|
Quote:
Originally Posted by qrange
If I run 'sudo touch /home/user1/tst', the user1 can remove file tst (even though root is owner, and others should be able to read it only). Please tell me, is that normal behaviour or security issue?
/home is on ext3.
thanks.
|
It looks to me like USER created the file so root's 'touch' would only modify the access time.
I.e., it was never root's file. (Others have noted the inheritance of ownership from the parent folder and this may be why it was never root's.)
But to belabor the subject, for example if a user creates a text file
Code:
echo "This is $USER" > test.txt
then as root or sudo or whatever does this...
Code:
echo "And this is ROOT" >> test.txt
User can still add another line:
Code:
echo "And this is $USER again" >> test.txt
and USER can delete the file when no longer needed.
In the original post all root did was "touch" a preexisting file and that does not change ownership.
In short, yes. It's normal security. :-)
|
|
|
02-09-2012, 02:06 AM
|
#15
|
Senior Member
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian stable/testing, amd64
Posts: 1,067
Original Poster
Rep:
|
@deep27ak
I had checked 'only owner can rename and delete folder content' for /home/user1 in krusader, presuming thats 'sticky bit'.
there is no such option for files.
@rainbowsally
the file was not preexisting. it was created with sudo touch, and had root as owner. exact same thing happens if I use su instead.
|
|
|
All times are GMT -5. The time now is 12:58 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|