Bug#998005: Regression: bad handling of permission in directory with sticky bit

Vincent Danjean Thu, 28 Oct 2021 06:12:24 -0700

Package: src:linux
Version: 5.14.12-1
Severity: normal

Hi,


One of my users reports me a strange file access problem:
In a directory with sticky bit such as /tmp, the write
permission he can set on one of his (plain) file is ignored.
He cannot allow another user to write in its file (no ACL
are involved).

I dig into this issue and, indeed, I observe this stange
behavior. The sticky bit in directory change file rename
and deletion, ok. But it should not change write access.

I wrote the attached script. I run it on ubuntu live 14,
ubuntu live 20 and on my laptop (sid). The script has been
run in /tmp (sticky bit) and /home/$USER (no sticky bit).
[users and groups have been changed for the runs on the sid
machine]
  Access problems occur in /tmp on ubuntu live 20 and sid,
but not on /home (all systems) nor on ubuntu live 14 in
/tmp (old kernel)

The results are in the attachments.

Here is an extract with one problematic result:
vdanjean@eyak:/tmp$ id -un
vdanjean
vdanjean@eyak:/tmp$ ls -ld .
drwxrwxrwt 368 root root 196608 28 oct.  14:39 .
vdanjean@eyak:/tmp$ ls -l essai 
-rw-rw-rw- 1 cbardel cbardel 4 28 oct.  13:33 essai
vdanjean@eyak:/tmp$ echo ok >> essai
bash: essai: Permission non accordée

With 0666 permission, anybody should be able to write
in the file (even if the containing directory has a
sticky bit)

Do you confirm this is a bug? Do you want I look
for the first kernel in Debian with this regression?

  Regards
    Vincent

#!/bin/bash

LC_ALL=C

FILE=essai
OTHER_USER=toto
SHARED_GROUP=ubuntu
PRIVATE_GROUP=toto

display() {
    echo "+ $*"
    "$@"
}

check() {
    display ls -l $FILE
    cat $FILE > /dev/null || echo "READ FORBIDEN $1"
    echo ok >> $FILE || echo "WRITE FORBIDEN $2"
}
    
display uname -a
display id
display id $OTHER_USER
display ls -ld $(pwd)
echo "foo" > $FILE

sudo chown $OTHER_USER $FILE
sudo chgrp $SHARED_GROUP $FILE

sudo chmod 660 $FILE
check "" "WHY?"

sudo chmod 666 $FILE
check "" "WHY?"

sudo chmod 606 $FILE
check "OK" "OK"


sudo chgrp $PRIVATE_GROUP $FILE

sudo chmod 660 $FILE
check "OK" "OK"

sudo chmod 666 $FILE
check "" "WHY?"

sudo chmod 606 $FILE
check "" "WHY?"

+ uname -a
Linux ubuntu 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 
2019 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groups=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groups=1000(toto),999(ubuntu)
+ ls -ld /home/ubuntu
drwxr-xr-x 15 ubuntu ubuntu 480 oct.  28 12:01 /home/ubuntu
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:01 essai
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 7 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto ubuntu 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 10 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto toto 13 oct.  28 12:01 essai

+ uname -a
Linux ubuntu 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 
2019 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groups=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groups=1000(toto),999(ubuntu)
+ ls -ld /tmp
drwxrwxrwt 4 root root 200 oct.  28 12:01 /tmp
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:01 essai
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 7 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto ubuntu 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 10 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto toto 13 oct.  28 12:01 essai

+ uname -a
Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 
2021 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groupes=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groupes=1000(toto),999(ubuntu)
+ ls -ld /home/ubuntu
drwxr-xr-x 15 ubuntu ubuntu 440 oct.  28 12:17 /home/ubuntu
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:18 essai
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 7 oct.  28 12:18 essai
+ ls -l essai
-rw----rw- 1 toto ubuntu 10 oct.  28 12:18 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 10 oct.  28 12:18 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 10 oct.  28 12:18 essai
+ ls -l essai
-rw----rw- 1 toto toto 13 oct.  28 12:18 essai

+ uname -a
Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 
2021 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groupes=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groupes=1000(toto),999(ubuntu)
+ ls -ld /tmp
drwxrwxrwt 18 root root 420 oct.  28 12:17 /tmp
/home/ubuntu/test-perms: line 25: essai: Permission denied
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 toto ubuntu 4 oct.  28 12:16 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 4 oct.  28 12:16 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 toto toto 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?

+ uname -a
Linux eyak 5.14.0-3-amd64 #1 SMP Debian 5.14.12-1 (2021-10-14) x86_64 GNU/Linux
+ id
uid=1000(vdanjean) gid=1000(vdanjean) 
groupes=1000(vdanjean),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(fuse),104(scanner),111(netdev),112(bluetooth),131(wireshark),133(libvirt),141(systemd-journal),152(davfs2),155(sbuild),159(docker)
+ id cbardel
uid=1002(cbardel) gid=1002(cbardel) groupes=1002(cbardel),111(netdev)
+ ls -ld /home/vdanjean
drwxr-xr-x 293 vdanjean vdanjean 36864 28 oct.  14:24 /home/vdanjean
+ ls -l essai
-rw-rw---- 1 cbardel netdev 4 28 oct.  14:24 essai
+ ls -l essai
-rw-rw-rw- 1 cbardel netdev 7 28 oct.  14:24 essai
+ ls -l essai
-rw----rw- 1 cbardel netdev 10 28 oct.  14:24 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 cbardel cbardel 10 28 oct.  14:24 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 cbardel cbardel 10 28 oct.  14:24 essai
+ ls -l essai
-rw----rw- 1 cbardel cbardel 13 28 oct.  14:24 essai

+ uname -a
Linux eyak 5.14.0-3-amd64 #1 SMP Debian 5.14.12-1 (2021-10-14) x86_64 GNU/Linux
+ id
uid=1000(vdanjean) gid=1000(vdanjean) 
groupes=1000(vdanjean),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(fuse),104(scanner),111(netdev),112(bluetooth),131(wireshark),133(libvirt),141(systemd-journal),152(davfs2),155(sbuild),159(docker)
+ id cbardel
uid=1002(cbardel) gid=1002(cbardel) groupes=1002(cbardel),111(netdev)
+ ls -ld /tmp
drwxrwxrwt 367 root root 196608 28 oct.  14:24 /tmp
/tmp/test-perms: line 25: essai: Permission denied
+ ls -l essai
-rw-rw---- 1 cbardel netdev 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw-rw-rw- 1 cbardel netdev 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 cbardel netdev 4 28 oct.  13:33 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 cbardel cbardel 4 28 oct.  13:33 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 cbardel cbardel 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 cbardel cbardel 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?

Bug#998005: Regression: bad handling of permission in directory with sticky bit

Reply via email to