Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
From: наб <nabijaczleweli@nabijaczleweli.xyz>
Date: Sat, 25 Mar 2023 17:54:23 +0100
Message-id: <[🔎] a4j4fjotkvjpp2e37utyrzxbthn2tosh7vvi7u6z6v6eyau5ku@3vtp23kfqslg>
Reply-to: наб <nabijaczleweli@nabijaczleweli.xyz>, 1033477@bugs.debian.org

Source: linux
Version: 6.1.20-1
Severity: normal

Dear Maintainer,

Here's a session that demonstrates the issue:
-- >8 --
/srv# echo /srv/f > f
/srv# mkdir -m 1777 1777
/srv# ln -s /srv/f 1777/
/srv# chown _apt 1777/

/srv$ cat 1777/f
cat: 1777/f: Permission denied
/srv$ cat f
/srv/f
-- >8 --

Or, in short:
-- >8 --
$ find /srv/ -exec ls -ld {} +
drwxr-xr-x 3 root root 4096 Mar 25 17:34 /srv/
drwxrwxrwt 2 _apt root 4096 Mar 25 17:34 /srv/1777
lrwxrwxrwx 1 root root    6 Mar 25 17:34 /srv/1777/f -> /srv/f
-rw-r--r-- 1 root root    7 Mar 25 17:34 /srv/f
-- >8 --

If you don't chown (leave it owned 0:0), the cat succeeds.
If you make it 1755 instead of 1777, the cat succeeds as well!

This is obviously insane, but I'm assuming no-one noticed
because no-one uses sticky directories not owned 0:0.

If you additionally mkdir 1777/dir and make an identical symlink there,
the cat also succeeds.

Naturally, it should succeed in every scenario.

Best,
наб

-- System Information:
Debian Release: 12.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: amd64, i386

Kernel: Linux 6.1.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
  - From: наб <nabijaczleweli@nabijaczleweli.xyz>
- Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
  - From: Bastian Blank <waldi@debian.org>
- Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Processed: Re: Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#1033398: linux-image-amd64: reproducible kernel freeze on 5.19+
Next by Date: Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
Previous by thread: Bug#1019700: marked as done (mmc0: Timeout waiting for hardware cmd interrupt.)
Next by thread: Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)
Index(es):
- Date
- Thread