[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RM disregards file level permissions and uses directory permissions
From: |
Eric Blake |
Subject: |
Re: RM disregards file level permissions and uses directory permissions instead. |
Date: |
Wed, 16 Apr 2008 18:33:46 -0600 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080213 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
According to James J. Perry on 4/16/2008 4:25 PM:
| We are in the cutover process and one of the DBAs found this behavior.
| If testfile1 is owned by usera:group1 in a parent directory with
| permissions 777 owned by usera:group1, userb:group2 can delete testfile1
| even if testfile1 has permissions 600. Conversely if the same parent
| directory has permissions 755 and userb owns testfile2 with 777
| permissions they cannot delete their own file from that parent
| directory.
Yes, and POSIX requires this. You probably want to set the directory's
sticky bit.
| I found this happens on rm version 5.2.1 running on RHEL4
| and 5.97 running on RHEL5.
Consider upgrading - the latest stable version is 6.10 (and 6.11 is due
out this month).
| It does not specify anything about this
| behavior in the man pages or other docs. Can you please look into this
| and let me know about this behavior?
POSIX documents it here:
http://www.opengroup.org/onlinepubs/009695399/utilities/rm.html
http://www.opengroup.org/onlinepubs/009695399/functions/unlink.html
In particular, the EACCES errors on unlink() mention that without the
sticky bit, all you need is write access to the directory (and your
directory is world writable); with the sticky bit set, you must also own
the directory and file.
To set the sticky bit, use:
chmod a+t dir
or
chmod 01777 dir
- --
Don't work too hard, make some time for fun as well!
Eric Blake address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgGmuoACgkQ84KuGfSFAYAIKACeJYuYGzX8qCLzpq2udRT8XCaz
Ov4AnR8tXDVKaO9F5Jq46knYg2E/6s5+
=R2nF
-----END PGP SIGNATURE-----