Re: File permission confusion [Debian 9.1 with MATE]

To: debian-user@lists.debian.org
Subject: Re: File permission confusion [Debian 9.1 with MATE]
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Mon, 01 Jan 2018 13:01:23 +0100
Message-id: <[🔎] 13990787417135627594@scdbackup.webframe.org>
In-reply-to: <[🔎] 4a8c7464-49bd-fdf9-5f76-194953b22020@cloud85.net>
References: <[🔎] 4a8c7464-49bd-fdf9-5f76-194953b22020@cloud85.net>

Hi,

Richard Owlett wrote:
> As user "richard" I was able to delete them with Caja.

To prevent renaming or deletion of a file, you need to prevent writing
to the directory which hosts it. (Actually you delete the "dirent", which
points to the inode. The inode gets deleted when its last dirent is gone
and no filedescriptor is open on it any more.)

You may prevent writing either by taking away w-permission for everybody
  chmod a-w directory
or by preventing users from removing files which they don't own
  chmod +t directory
But the superuser will probably be able to override both of this without
the prior need to change the directory permissions.

There is
  chattr +i file
with some filesystems. I dimly remember we had a discussion about its
effectiveness a while ago ...

> Logged into Debian as "richard" SeaMonkey was able to change contents of
> those files.

It is a usual strategy against softlink spoofing to rename or delete the
original file and to store the changed content as new file.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: File permission confusion [Debian 9.1 with MATE]
  - From: Richard Owlett <rowlett@cloud85.net>

References:
- [ADDENDUM] File permission confusion [Debian 9.1 with MATE]
  - From: Richard Owlett <rowlett@cloud85.net>

Prev by Date: Re: [ADDENDUM] File permission confusion [Debian 9.1 with MATE]
Next by Date: Re: File permission confusion [Debian 9.1 with MATE]
Previous by thread: Re: [ADDENDUM] File permission confusion [Debian 9.1 with MATE]
Next by thread: Re: File permission confusion [Debian 9.1 with MATE]
Index(es):
- Date
- Thread