Bug#295146: kernel: can delete root directories

[Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>]

Al Viro <viro@parcelfarce.linux.theplanet.co.uk> writes:

> On Sun, Feb 13, 2005 at 06:31:09PM -0500, Rehm wrote:
>> Package: kernel
>> Severity: critical
>> Justification: root security hole
>> 
>> Extremely insecure. Apparently after having been able to do mounting
>> on a diskimage disk1.img (sued to root under lightweight wm in X- xterm box) on a directory called ./1,
>> drwxr-xr-x  2 root  root     4096 2005-02-13 18:22 1
>> $
>> ->as a normal user, (and my groups command shows no respect of being
>> member of root), I am able to delete directory 1, or shouldn't I? Either
>> I'm very dumb, or something is terribly wrong..Any other further details I can provide and test- I wouldn't
>> mind..Thanks for the feedback..
>
> a) do you actually have something mounted on that directory at the time?
> b) strace of rmdir, please

c) rights to delete are governed by the directory the thing to delete
is in and not by the thing itself. The rights of '1' are irelevant if
it is empty.

MfG
        Goswin