[colug-432] RHEL: Permissions Error / Write a Read-Only File
Joshua Kramer
joskra42.list at gmail.com
Thu Dec 1 00:21:57 EST 2016
Hello!
I have run across a peculiar behavior in RHEL 6. One user can write
to a file that does not belong to him by mv'ing one of his files to
the target filename.
Say we have two users, Bob and Alice.
1. Alice has created a separate OS group for a project: AliceProj.
2. Alice adds Bob to the group AliceProj.
3. Alice creates a directory somewhere, let's call it
/srv/AliceProjDir. She sets it user+rwx, group+wrx, all+rx.
3. Alice creates a file in /srv/AliceProjDir,
ALICE_IMPORTANT_DATA.xml. She sets it read-write to herself,
read-only to the group AliceProj.
4. Bob comes along and, in the directory noted above, does 'cp
ALICE_IMPORTANT_DATA.xml BOB_EDITED_DATA.xml'
5. Bob edits his BOB_EDITED_DATA.xml.
6. Bob does this: 'mv BOB_EDITED_DATA.xml ALICE_IMPORTANT_DATA.xml'
7. Now Alice's important data file, that should only be writeable by
Alice, contains Bob's edits.
Why does this work, and why is it not considered a bug?
Cheers!
-JK
More information about the colug-432
mailing list