On Thu, 2006-01-19 at 20:01 -0600, J. K. Cliburn wrote: > Mikkel L. Ellertson wrote: > > J. K. Cliburn wrote: > > > >>I'm seeing some file ownership behavior that concerns me. Near as I can > >>tell, a non-root user who's a member of a group can change ownership of > >>a file that's owned by another member of the same group, even if the > >>group perms for the file are read-only. I need to know if this is > >>expected behavior. I also saw the behavior today in SLES9, although I > >>need to verify the details more carefully tomorrow. > >> > >>On my Fedora machine I added my non-root self to group "users", then, as > >>root, created a directory with root:users ownership. I then added a > >>file inside that directory called "junk" with 644 perms and owned by > >>root:users. Next, as myself (non-root) I opened the file with vi and > >>was able to save changes to it. When I exit the file, it's no longer > >>owned by root: it's owned by my non-root account. Behold: > >> > > > > If you look, you will probably find the original file, owned by > > root, renamed to junk~. What is going on is that when vi saves the > > file, it first renames the original file to <filename>~ and then > > saves the edited version as <filename>. Because the user had write > > permission to the directory, they could rename the original file, > > and save a new file with the original name. But it is owned by the > > user that saved the file. > > > > Mikkel > > I don't think so. The ~ file isn't there, and the resulting file has > the same inode number as the one root owned. > > [root@osprey test]# chown root:users junk > [root@osprey test]# ls -ali junk > 3074181 -rw-r--r-- 1 root users 56 Jan 19 19:56 junk > [root@osprey test]# > > > [jcliburn@osprey test]$ vi junk > [jcliburn@osprey test]$ ls -ali > total 12 > 3074178 drwxrwx--- 2 root users 4096 Jan 19 19:57 . > 2 drwxrwxrwx 12 root root 4096 Jan 19 19:01 .. > 3074181 -rw-r--r-- 1 jcliburn jcliburn 80 Jan 19 19:57 junk > [jcliburn@osprey test]$ If the directory is group-writable, any member of the group can achieve the same result by doing: $ cp junk junk.new $ rm junk $ mv junk.new junk This doesn't explain the same inode number though. Try a slightly different experiment, where you make a hard link to the original file and then edit it. Do both versions of the file get their ownership changed? Paul.
