Re: File Permissions are incorrect. Security flaw in Linux

[Richard B. Johnson]

On Wed, 1 Oct 2003, Jurjen Oskam wrote:

> On Wed, Oct 01, 2003 at 06:40:13AM -0600, Lisa R. Nelson wrote:
>
> > [1.] One line summary of the problem:
> > A low level user can delete a file owned by root and belonging to group
> > root even if the files permissions are 744.  This is not in agreement
> > with Unix, and is a major security issue.
>
> This *is* in agreement with Unix. It works exactly the same on AIX, for
> example.
>
> --
> Jurjen Oskam
>

Yes. File removal is subject to DIRECTORY permissions.

Script started on Wed Oct  1 10:03:26 2003
# pwd
/tmp
# >foo
# chmod 744 foo
# ls -la
total 8
drwxrwxrwx   2 root     root         4096 Oct  1 10:03 .
drwxr-xr-x  25 root     root         4096 Oct  1 04:09 ..
-rwxr--r--   1 root     root            0 Oct  1 10:03 foo
-rw-r--r--   1 root     root            0 Oct  1 10:03 typescript
# su johnson
$ ls -la
total 8
drwxrwxrwx   2 root     root         4096 Oct  1 10:03 .
drwxr-xr-x  25 root     root         4096 Oct  1 04:09 ..
-rwxr--r--   1 root     root            0 Oct  1 10:03 foo
-rw-r--r--   1 root     root            0 Oct  1 10:03 typescript
$ pwd
/tmp
$ rm foo
rm: remove write-protected file `foo'? y
$ ls -la
total 8
drwxrwxrwx   2 root     root         4096 Oct  1 10:04 .
drwxr-xr-x  25 root     root         4096 Oct  1 04:09 ..
-rw-r--r--   1 root     root            0 Oct  1 10:03 typescript
$ exit
exit
# ls
typescript
# exit
exit
Script done on Wed Oct  1 10:04:17 2003

...So anything you put into "/tmp", for instance, can be deleted
by anybody. This is the Unix way.


Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
            Note 96.31% of all statistics are fiction.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/