Date: Thu, 31 Jan 2002 06:50:08 +0000 (GMT) From: =?iso-8859-1?q?Matt=20Sykes?= <mattmsykes@yahoo.co.uk> To: Tim Wilde <twilde@dyndns.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: able to delete root-owned files as non-root Message-ID: <20020131065008.9251.qmail@web21008.mail.yahoo.com> In-Reply-To: <Pine.GSO.4.40.0201310030001.20128-100000@quartz.bos.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Tim Wilde <twilde@dyndns.org> wrote: > On Thu, 31 Jan 2002, [iso-8859-1] Matt Sykes wrote: > > > xerxes:~> whoami > > sykes > > xerxes:~> ll testfile > > -rw-r--r-- 1 root wheel 0 Jan 31 00:23 testfile > > xerxes:~> rm testfile > > override rw-r--r-- root/wheel for testfile? y > > xerxes:~> ll testfile > > ls: testfile: No such file or directory > > > > Big security problem. > > > > This should never ever happen. > > Sure it should. If you own the directory this file is in, you have > permission to do this. It's perfectly standard UNIX filesystem > behavior. > On my solaris box: > > twilde@quartz:~$ ls -lad . > drwxr-xr-x 28 twilde twilde 2048 Jan 31 00:30 . > twilde@quartz:~$ ls -la somefile > -rw-r--r-- 1 root other 0 Jan 31 00:30 somefile > twilde@quartz:~$ rm somefile > rm: somefile: override protection 644 (yes/no)? y > twilde@quartz:~$ ls -la somefile > somefile: No such file or directory > twilde@quartz:~$ > > The ownership of the directory is what gives you permission to > create or > remove files in the directory. You wouldn't be able to EDIT that > file as > someone who doesn't have write privs on it, though. > > Tim Wilde Ok I apologize for being a little rash in sending out this "problem". I first noticed it right after cvsupping 4.5-stable and thought it was related. A hasty assumption. However I did manage to bungle up mergemaster, and consequently root could log in without a password. But that is another story... --Matt __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020131065008.9251.qmail>