[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Kernel 3.14.x bug? rm, mv root-owned files



Hello,

Could anyone verify this "bug" I ran into, please?  I don't know for sure if it is the new kernel, or any combination of various packages (pam, rm, mv...).

Thanks,

Jimmy



###-----


Software version:

   kernel 3.14.5
   Debian sid

Problem description:  With normal/common file permission usage, in a directory owned by non-root user, the user can rename or delete root-owned files using:

   /bin/mv
   /bin/rm 

Within such directory, that non-root user can also 

   /bin/rm, or /bin/mv  an empty root-owned subdirectory

   /bin/mv  a subdirectory owned by root
   
but prevented from moving or deleting the files within such subdirectory


###-----

Some tests:


As user 'tst1':

   $ mkdir -p /tmp/testing/
   $ ls -altr /tmp | grep testing
drwxr-xr-x  2 tst1 tst1 4096 Jun  5 13:48 testing


   

As root, create some files and subdirectory in the above directory:

   # echo "1 2 3 4 5" > /tmp/testing/test1.txt
   # ls -altr /tmp/testing/
total 12
drwxrwxrwt 14 root root 4096 Jun  5 13:48 ..
-rw-r--r--  1 root root   10 Jun  5 13:49 test1.txt
drwxr-xr-x  2 tst1 tst1 4096 Jun  5 13:49 .


   # mkdir -p /tmp/testing/test.mvrmBug/
   # ls -altr /tmp/testing/
total 16
drwxrwxrwt 14 root root 4096 Jun  5 13:48 ..
-rw-r--r--  1 root root   10 Jun  5 13:49 test1.txt
drwxr-xr-x  2 root root 4096 Jun  5 13:50 test.mvrmBug
drwxr-xr-x  3 tst1 tst1 4096 Jun  5 13:50 .


   # echo "a b c d e" > /tmp/testing/test.mvrmBug/test2.txt
   # ls -altr /tmp/testing/test.mvrmBug/
total 12
drwxr-xr-x 3 tst1 tst1 4096 Jun  5 13:50 ..
-rw-r--r-- 1 root root   10 Jun  5 13:51 test2.txt
drwxr-xr-x 2 root root 4096 Jun  5 13:51 .


   # mkdir -p /tmp/testing/test.mvrmEmptySubdir/
   # ls -altr /tmp/testing/
total 20
drwxrwxrwt 14 root root 4096 Jun  5 13:48 ..
-rw-r--r--  1 root root   10 Jun  5 13:49 test1.txt
drwxr-xr-x  2 root root 4096 Jun  5 13:51 test.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 13:52 .
   

   
   

As the original user 'tst1':

   $ ls -altr /tmp/ | grep testing
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 13:52 testing


   $ ls -altr /tmp/testing/
total 20
drwxrwxrwt 14 root root 4096 Jun  5 13:48 ..
-rw-r--r--  1 root root   10 Jun  5 13:49 test1.txt
drwxr-xr-x  2 root root 4096 Jun  5 13:51 test.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 13:52 .


   
   // --- rename (move) a file owned by root, should not be allowed, but is allowed:

   $ mv -v /tmp/testing/test1.txt  /tmp/testing/junk1.txt
‘/tmp/testing/test1.txt’ -> ‘/tmp/testing/junk1.txt’


   $ ls -altr /tmp/testing/
total 20
drwxrwxrwt 14 root root 4096 Jun  5 13:48 ..
-rw-r--r--  1 root root   10 Jun  5 13:49 junk1.txt
drwxr-xr-x  2 root root 4096 Jun  5 13:51 test.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 13:53 .


   $ mv -v /tmp/testing/junk1.txt  /tmp/testing/newjunk1.txt
‘/tmp/testing/junk1.txt’ -> ‘/tmp/testing/newjunk1.txt’


   $ ls -altr /tmp/testing/
total 20
-rw-r--r--  1 root root   10 Jun  5 13:49 newjunk1.txt
drwxr-xr-x  2 root root 4096 Jun  5 13:51 test.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun  5 13:55 ..
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 13:55 .

   

   // --- remove (delete) a file owned by root, should not be allowed, but is allowed.  Here, it says the file is 'read-only' so it warns about it, but of course "rm -f " would work, too:

   $ rm -v /tmp/testing/newjunk1.txt
rm: remove write-protected regular file ‘/tmp/testing/newjunk1.txt’? y
removed ‘/tmp/testing/newjunk1.txt’


   $ ls -altr /tmp/testing/
total 16
drwxr-xr-x  2 root root 4096 Jun  5 13:51 test.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun  5 13:55 ..
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 13:57 .

   
   
   // --- rename (move) a subdirectory owned by root, should not be allowed, but is allowed:
   
   $ mv -v /tmp/testing/test.mvrmBug  /tmp/testing/try.mvrmBug
‘/tmp/testing/test.mvrmBug’ -> ‘/tmp/testing/try.mvrmBug’


   $ ls -altr /tmp/testing/
total 16
drwxr-xr-x  2 root root 4096 Jun  5 13:51 try.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun  5 13:55 ..
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 14:00 .


   $ mv -v /tmp/testing/try.mvrmBug  /tmp/testing/squash.mvrmBug
‘/tmp/testing/try.mvrmBug’ -> ‘/tmp/testing/squash.mvrmBug’


   $ ls -altr /tmp/testing/
total 16
drwxr-xr-x  2 root root 4096 Jun  5 13:51 squash.mvrmBug
drwxr-xr-x  2 root root 4096 Jun  5 13:52 test.mvrmEmptySubdir
drwxrwxrwt 14 root root 4096 Jun  5 13:55 ..
drwxr-xr-x  4 tst1 tst1 4096 Jun  5 14:01 .

   
   // --- can delete (rmdir, rm -fR, rm -fr) an empty subdirectory, did not even prompt for confirmation, should not be allowed: 
   
   $ rmdir -v /tmp/testing/test.mvrmEmptySubdir/
rmdir: removing directory, ‘/tmp/testing/test.mvrmEmptySubdir/’


   $ ls -altr /tmp/testing/
total 12
drwxr-xr-x  2 root root 4096 Jun  5 13:51 squash.mvrmBug
drwxrwxrwt 14 root root 4096 Jun  5 14:03 ..
drwxr-xr-x  3 tst1 tst1 4096 Jun  5 14:03 .


   // --- at least, cannot remove, or reach inside a not-empty subdirectory owned by root, thank goodness:

   $ rm -fR /tmp/testing/squash.mvrmBug
rm: cannot remove ‘/tmp/testing/squash.mvrmBug/test2.txt’: Permission denied


   $ ls -altr /tmp/testing/
total 12
drwxr-xr-x  2 root root 4096 Jun  5 13:51 squash.mvrmBug
drwxrwxrwt 14 root root 4096 Jun  5 14:03 ..
drwxr-xr-x  3 tst1 tst1 4096 Jun  5 14:03 .

   
   
###-----
Reply to: