I'm seeing some file ownership behavior that concerns me. Near as I can
tell, a non-root user who's a member of a group can change ownership of
a file that's owned by another member of the same group, even if the
group perms for the file are read-only. I need to know if this is
expected behavior. I also saw the behavior today in SLES9, although I
need to verify the details more carefully tomorrow.
On my Fedora machine I added my non-root self to group "users", then, as
root, created a directory with root:users ownership. I then added a
file inside that directory called "junk" with 644 perms and owned by
root:users. Next, as myself (non-root) I opened the file with vi and
was able to save changes to it. When I exit the file, it's no longer
owned by root: it's owned by my non-root account. Behold:
[jcliburn@osprey ~]$ uname -a
Linux osprey 2.6.14-1.1656_FC4.netdev.8 #1 Wed Jan 11 23:24:33 EST 2006
x86_64 x86_64 x86_64 GNU/Linux
[jcliburn@osprey ~]$ id
uid=500(jcliburn) gid=500(jcliburn) groups=100(users),500(jcliburn)
[jcliburn@osprey ~]$ cd /opt
[jcliburn@osprey opt]$ ls -l | grep test
drwxrwx--- 2 root users 4096 Jan 19 19:19 test
[jcliburn@osprey opt]$ cd test
[jcliburn@osprey test]$ ls -l
total 4
-rw-r--r-- 1 root users 56 Jan 19 19:19 junk
[jcliburn@osprey test]$ cat junk
Hello there non-root mortal. Can you modify this file?
[jcliburn@osprey test]$ chown jcliburn:jcliburn junk
chown: changing ownership of `junk': Operation not permitted
[jcliburn@osprey test]$ vi junk
## Save changes within vi, then quit. ##
[jcliburn@osprey test]$ ls -l
total 4
-rw-r--r-- 1 jcliburn jcliburn 80 Jan 19 19:25 junk
[jcliburn@osprey test]$ cat junk
Hello there non-root mortal. Can you modify this file?
Why yes, I think I can.
[jcliburn@osprey test]$
This means that any group member can take ownership of another group
member's file -- even, as was demonstrated here, a file owned by root --
simply by using vi to edit the file!
It ain't supposed to be that way, right? What am I overlooking?
Jay
p.s. SELinux is disabled.
