Source: linux Version: 6.1.20-1 Severity: normal Dear Maintainer,
Here's a session that demonstrates the issue:
-- >8 --
/srv# echo /srv/f > f
/srv# mkdir -m 1777 1777
/srv# ln -s /srv/f 1777/
/srv# chown _apt 1777/
/srv$ cat 1777/f
cat: 1777/f: Permission denied
/srv$ cat f
/srv/f
-- >8 --
Or, in short:
-- >8 --
$ find /srv/ -exec ls -ld {} +
drwxr-xr-x 3 root root 4096 Mar 25 17:34 /srv/
drwxrwxrwt 2 _apt root 4096 Mar 25 17:34 /srv/1777
lrwxrwxrwx 1 root root 6 Mar 25 17:34 /srv/1777/f -> /srv/f
-rw-r--r-- 1 root root 7 Mar 25 17:34 /srv/f
-- >8 --
If you don't chown (leave it owned 0:0), the cat succeeds.
If you make it 1755 instead of 1777, the cat succeeds as well!
This is obviously insane, but I'm assuming no-one noticed
because no-one uses sticky directories not owned 0:0.
If you additionally mkdir 1777/dir and make an identical symlink there,
the cat also succeeds.
Naturally, it should succeed in every scenario.
Best,
наб
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: amd64, i386
Kernel: Linux 6.1.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
signature.asc
Description: PGP signature
