HPE Community
Operating System - HP-UX
1822011 Members
4157 Online
109639 Solutions
New Discussion юеВ

Root-owned file vulnerable under user dir

 
SOLVED
Go to solution
Jakes Louw
Trusted Contributor

тАО04-19-2004 10:36 PM

тАО04-19-2004 10:36 PM

Root-owned file vulnerable under user dir

Is this normal:

A file owned by root is resident under a user directory.
The user (owner of the parent directory) can delete the root file, even though he obviously is not the owner and does not have super-user privileges.

The root-owned file also has persmissions set of "chmod 100": execute for root only, no other permissions, no SUID bits, nothing.

I can reproduce this at will.
Are we saying then that if you own a directory, you can delete the contents at will, regardless of ownership?

This isn't how I've understood UNIX security over the last 10 years.

This server is running 11.11 with Dec 2002 GPK, no extras.

What am I missing?
Trying is the first step to failure - Homer Simpson
0 Kudos
Reply
12 REPLIES 12
Mark Grant
Honored Contributor

тАО04-19-2004 10:39 PM

тАО04-19-2004 10:39 PM

Solution

Re: Root-owned file vulnerable under user dir

Not if you set the sticky bit on the directory itself. Set this sticky bit and only the owner can delete it.
Never preceed any demonstration with anything more predictive than "watch this"
Reply
Sanjay Kumar Suri
Honored Contributor

тАО04-19-2004 10:42 PM

тАО04-19-2004 10:42 PM

Re: Root-owned file vulnerable under user dir

Whew...

It is normal. And this is how it works on my system as well except the following difference in my case:

$rm sss
sss: 644 mode ? (y/n) y

FILE gone.

sks
A rigid mind is very sure, but often wrong. A flexible mind is generally unsure, but often right.
0 Kudos
Reply
Jeroen Peereboom
Honored Contributor

тАО04-19-2004 10:54 PM

тАО04-19-2004 10:54 PM

Re: Root-owned file vulnerable under user dir

Jakes,

this is normal behavior. Deleting a file means writing in its directory.
As Mark says you should set the sticky bit on the directory (chmod u+t).
According to the man page, the owner of the file, the owner of the directory or superuser can remove the file (even if the modes of the directory would otherwise allow such operation).

To be honest I learned about the sticky directory bit on a Linux course...

JP.
Reply
KapilRaj
Honored Contributor

тАО04-19-2004 10:58 PM

тАО04-19-2004 10:58 PM

Re: Root-owned file vulnerable under user dir

Unless you have sticky bit on the directory, this is normal as the owner of the directory have write parmission on the directory!

Regds,

Kaps
Nothing is impossible
Reply
Jakes Louw
Trusted Contributor

тАО04-20-2004 01:23 AM

тАО04-20-2004 01:23 AM

Re: Root-owned file vulnerable under user dir

OK, I just set the sticky on that dir :

chmod u+t .....

and the guy can STILL delete a file touched by root.

WHAT NOW?
Trying is the first step to failure - Homer Simpson
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО04-20-2004 01:38 AM

тАО04-20-2004 01:38 AM

Re: Root-owned file vulnerable under user dir

Try "chmod u+s" instead :)
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Mark Grant
Honored Contributor

тАО04-20-2004 02:03 AM

тАО04-20-2004 02:03 AM

Re: Root-owned file vulnerable under user dir

Apologies for being dumb today. It should be the "t" not the "s" of course.

The actual definition is that when the sticky bit is set in a directory, only the owner of the file AND the owner of the directory can remove the file.
Never preceed any demonstration with anything more predictive than "watch this"
0 Kudos
Reply
Jeroen Peereboom
Honored Contributor

тАО04-20-2004 02:08 AM

тАО04-20-2004 02:08 AM

Re: Root-owned file vulnerable under user dir

Jakes,

the owner of the directory can remove root's file in that dir. Check the manpage of chmod on sticky bit.
According to the man page, the owner of the file, the owner of the directory or superuser can remove the file (even if the modes of the directory would otherwise allow such operation).

Jeroen P.
0 Kudos
Reply
Jeroen Peereboom
Honored Contributor

тАО04-20-2004 02:13 AM

тАО04-20-2004 02:13 AM

Re: Root-owned file vulnerable under user dir

Hmm,

maybe I should add the word ONLY:
ONLY the owner of the file, the owner of the directory or superuser can remove the file (even if the modes of the directory would otherwise allow such operation).

So if the directory is group-writable, members of the group cannot delete root's file if the directory has sticky bit.

Regardless of the file's protection, the directory owner can remove the file (if the directory has sticky bit or if the owner has write access to his/her own directory).

JP
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО04-20-2004 02:26 AM

тАО04-20-2004 02:26 AM

Re: Root-owned file vulnerable under user dir

This is a very basic concept of Unix filesystems. The file's ownership and permissions govern the CONTENTS only. The EXISTENCE of a file is governed solely by the directory's permissions and ownership. That's why you can't protect .profile in the user's $HOME directory. You can make a file 444 permissions with root as the owner so the contents can't be change but the user can simply mv or rm the file and create their own .profile. As mentioned, you can add the sticky bit to the directory and now mv and rm will not work if the file has a different owner (such as root). This bit is a common sysadmin enhancement for /tmp and /var/tmp, less common for $HOME but may be useful.


Bill Hassell, sysadmin
0 Kudos
Reply
Hazem Mahmoud_3
Respected Contributor

тАО04-20-2004 02:34 AM

тАО04-20-2004 02:34 AM

Re: Root-owned file vulnerable under user dir

A good way to think of it is that all "objects" on Unix are just files. Therefore, even directories can be considered as files. Therefore, the owner of the directory can modify the file (ie: directory) contents by adding/deleting contents inside of it, just like how you can add/remove contents in a normal flat file if you are the owner of that file. If you think about it that way, it makes a lot of sense.
Just a reiteration on what Bill has already mentioned.

-Hazem
0 Kudos
Reply
Rory R Hammond
Trusted Contributor

тАО04-21-2004 04:09 AM

тАО04-21-2004 04:09 AM

Re: Root-owned file vulnerable under user dir

FYI

You make it sound like a bad thing that the owner can remove a root owned file from his "domain".

As a application owner, or a owner of a directory. you better believe, I want to be able to remove "ANY" file in "MY" directories. futher more, I don't want root to be able to put anything in "MY" space.

Permissions are also designed to protect the user. In my mind, the only exception should be "lost+found" on file systems owned by a user or application. Then as an administrator (root), I encourge the user to leave it alone.

Now, If I am a "rogue" user, Then lets talk restricted shell, and files that I may use.


Good Luck
Rory
There are a 100 ways to do things and 97 of them are right
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.