[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: directory sticky bit strangeness following libc6 update

On Fri, Apr 17, 2020 at 02:17:46PM -0500, Bob Tracy wrote:
> All,
> 
> This likely isn't unique to Debian, much less the alpha platform, but
> I first encountered this strangeness on my alpha running Debian unstable.
> 
> Best way to explain what I'm seeing is by example.  A fairly common
> thing to do is create temporary or download directories with octal mode
> 1777 that are accessible by everyone.  The directory can be read/written
> by everyone, but users (with the exception of "root") cannot delete files
> in the directory that they do not own.  Otherwise, normal file
> permissions are applied as far as operations that can be performed on a
> particular file, and the expected (pre-libc6 update) behavior is that
> "root" can do anything with a particular file in the absence of extended
> ACL or selinux interference.  "/var/tmp" is one such directory, and a
> thing I like to do is maintain a list of currently-installed packages by
> running "dpkg -l > packages" in that directory as a normal user.

it seems the difference lies in handling of O_CREAT.

    # ls -ldn /var/tmp /var/tmp/hello
    drwxrwxrwt 4    0    0 183 Apr 18 10:37 /var/tmp
    -rw-rw-r-- 1 1002 1002  14 Apr 18 10:37 /var/tmp/hello

    # echo 'howdy' >>/var/tmp/hello
    bash: /var/tmp/hello: Permission denied

    # cat /var/tmp/hello
    hello, world!

    # strace -f sh -c "echo 'howdy' >>/var/tmp/hello" 2>&1 | grep /var/tmp/hello | grep openat
    openat(AT_FDCWD, "/var/tmp/hello", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)


same permission problem with perl sysopen:

    # strace -f -e trace=file 2>&1 perl -e 'use Fcntl; sysopen(my $fh, "/var/tmp/hello", O_WRONLY|O_CREAT|O_APPEND); print $fh "howdy\n"; close $fh;' | grep /var/tmp/hello
    openat(AT_FDCWD, "/var/tmp/hello", O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC, 0666) = -1 EACCES (Permission denied)


but success when leaving out O_CREAT (also removes the creation umask argument in openat call):

    # strace -f -e trace=file 2>&1 perl -e 'use Fcntl; sysopen(my $fh, "/var/tmp/hello", O_WRONLY|O_APPEND); print $fh "howdy\n"; close $fh;' | grep /var/tmp/hello
    openat(AT_FDCWD, "/var/tmp/hello", O_WRONLY|O_APPEND|O_CLOEXEC) = 3

    # ls -ldn /var/tmp/hello
    -rw-rw-r-- 1 1002 1002 20 Apr 18 11:51 /var/tmp/hello

    # cat /var/tmp/hello
    hello, world!
    howdy



not Alpha specific; this was done on x86_64 Ubuntu 20.04 beta:

    # uname -a; dpkg -l 'libc6' | grep ^.i
    Linux xyz 5.4.0-24-generic #28-Ubuntu SMP Thu Apr 9 22:16:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    ii  libc6:amd64    2.31-0ubuntu7 amd64        GNU C Library: Shared libraries


same kernel installed on an x86_64 Ubuntu 18.04, I get no "Permission denied":

    # uname -a; dpkg -l 'libc6' | grep ^.i
    Linux xyz18 5.4.0-24-generic #28-Ubuntu SMP Thu Apr 9 22:16:42 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    ii  libc6:amd64    2.27-3ubuntu1 amd64        GNU C Library: Shared libraries


So it seems not to be caused by the kernel version; strange how the same
syscalls give different results depending on libc version.

If the rules had changed, it should not succeed even without
O_CREAT. A bug?


Regards
Matthias Ferdinand
Reply to: