Re: No permissions to write to other users 777 file in sticky bit dir, even as root

To: debian-testing@lists.debian.org
Subject: Re: No permissions to write to other users 777 file in sticky bit dir, even as root
From: MichaIng <micha@dietpi.com>
Date: Tue, 8 Dec 2020 22:34:36 +0100
Message-id: <[🔎] 7301beaa-f0ca-f712-fd29-73546384de7d@dietpi.com>
In-reply-to: <[🔎] e8154280-71d8-22ed-aa05-1989a507eec0@dietpi.com>
References: <[🔎] e8154280-71d8-22ed-aa05-1989a507eec0@dietpi.com>

Okay, the reason has been found:

- https://lists.debian.org/debian-user/2020/12/msg00305.html

-https://patchwork.kernel.org/project/kernel-hardening/patch/20180416175918.GA13494@beast/

Since Debian Bullseye sysctl fs.protected_regular defaults to "2", whichdenies every attempt of a O_CREAT write to a file, that is not owned byoneself, inside a world-writeable sticky bit directory.


The problem I have with this:

- It practically breaks writeable sharing files through /tmp betweenmultiple users/processes, since O_CREAT is involved in many regular filewrite methods, like shell redirects, but this is expected for thesecurity purpose.

- It is not documented anywhere related to /tmp or the sticky bit, so atleast on my end it was totally unexpected, especially when somethingdoes not work anymore that one was used to until Debian Buster.

- root user is currently included, while it is permitted to remove anyfile in a sticky bit directory, which is the actual documented intentionof the sticky bit. So IMO root user should be taken out of thisrestrictions. But I'm not sure if this is even possible when this is akernel-level feature?


So not sure how to handle best:

- Add info about those additional restrictions to the chmod man page:https://manpages.debian.org/testing/coreutils/chmod.1.en.html#RESTRICTED_DELETION_FLAG_OR_STICKY_BIT

- Likely there are many other docs around modes where this info ismissing. Here I did find it:https://manpages.debian.org/testing/manpages/proc.5.en.html#Files_and_directories

- Revert fs.protected_regular to default "0" to not break whatpreviously worked without a very clear documentation and changelog,probably extended error messages about that, if even possible at such alevel? That is actually what I would vote for since all software I knowplaces sensitive files into restricted sub directories of /tmp or /runand/or use systemd's PrivateTmp anyway. So if someone really needs tohave this extra bit of security, it can always be enabled manually, butas a default that breaks things in a hard to debug and unexpected way isnot a good default, IMO.


Best regards and stay healthy,

Micha

Reply to:

References:
- No permissions to write to other users 777 file in sticky bit dir, even as root
  - From: MichaIng <micha@dietpi.com>

Prev by Date: No permissions to write to other users 777 file in sticky bit dir, even as root
Previous by thread: No permissions to write to other users 777 file in sticky bit dir, even as root
Index(es):
- Date
- Thread