Bug#998005: marked as done (Regression: bad handling of permission in directory with sticky bit)

Thu, 28 Oct 2021 08:03:32 -0700 

Your message dated Thu, 28 Oct 2021 16:52:51 +0200
with message-id <40ee0df0-deb3-4765-e204-2ccef7818...@debian.org>
and subject line Re: Bug#998005: Regression: bad handling of permission in 
directory with sticky bit
has caused the Debian Bug report #998005,
regarding Regression: bad handling of permission in directory with sticky bit
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
998005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998005
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: src:linux
Version: 5.14.12-1
Severity: normal

Hi,

One of my users reports me a strange file access problem:
In a directory with sticky bit such as /tmp, the write
permission he can set on one of his (plain) file is ignored.
He cannot allow another user to write in its file (no ACL
are involved).

I dig into this issue and, indeed, I observe this stange
behavior. The sticky bit in directory change file rename
and deletion, ok. But it should not change write access.

I wrote the attached script. I run it on ubuntu live 14,
ubuntu live 20 and on my laptop (sid). The script has been
run in /tmp (sticky bit) and /home/$USER (no sticky bit).
[users and groups have been changed for the runs on the sid
machine]
  Access problems occur in /tmp on ubuntu live 20 and sid,
but not on /home (all systems) nor on ubuntu live 14 in
/tmp (old kernel)

The results are in the attachments.

Here is an extract with one problematic result:
vdanjean@eyak:/tmp$ id -un
vdanjean
vdanjean@eyak:/tmp$ ls -ld .
drwxrwxrwt 368 root root 196608 28 oct.  14:39 .
vdanjean@eyak:/tmp$ ls -l essai 
-rw-rw-rw- 1 cbardel cbardel 4 28 oct.  13:33 essai
vdanjean@eyak:/tmp$ echo ok >> essai
bash: essai: Permission non accordée

With 0666 permission, anybody should be able to write
in the file (even if the containing directory has a
sticky bit)

Do you confirm this is a bug? Do you want I look
for the first kernel in Debian with this regression?

  Regards
    Vincent

#!/bin/bash

LC_ALL=C

FILE=essai
OTHER_USER=toto
SHARED_GROUP=ubuntu
PRIVATE_GROUP=toto

display() {
    echo "+ $*"
    "$@"
}

check() {
    display ls -l $FILE
    cat $FILE > /dev/null || echo "READ FORBIDEN $1"
    echo ok >> $FILE || echo "WRITE FORBIDEN $2"
}
    
display uname -a
display id
display id $OTHER_USER
display ls -ld $(pwd)
echo "foo" > $FILE

sudo chown $OTHER_USER $FILE
sudo chgrp $SHARED_GROUP $FILE

sudo chmod 660 $FILE
check "" "WHY?"

sudo chmod 666 $FILE
check "" "WHY?"

sudo chmod 606 $FILE
check "OK" "OK"


sudo chgrp $PRIVATE_GROUP $FILE

sudo chmod 660 $FILE
check "OK" "OK"

sudo chmod 666 $FILE
check "" "WHY?"

sudo chmod 606 $FILE
check "" "WHY?"

+ uname -a
Linux ubuntu 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 
2019 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groups=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groups=1000(toto),999(ubuntu)
+ ls -ld /home/ubuntu
drwxr-xr-x 15 ubuntu ubuntu 480 oct.  28 12:01 /home/ubuntu
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:01 essai
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 7 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto ubuntu 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 10 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto toto 13 oct.  28 12:01 essai

+ uname -a
Linux ubuntu 4.4.0-142-generic #168~14.04.1-Ubuntu SMP Sat Jan 19 11:26:28 UTC 
2019 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groups=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groups=1000(toto),999(ubuntu)
+ ls -ld /tmp
drwxrwxrwt 4 root root 200 oct.  28 12:01 /tmp
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:01 essai
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 7 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto ubuntu 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 10 oct.  28 12:01 essai
cat: essai: Permission denied
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 10 oct.  28 12:01 essai
+ ls -l essai
-rw----rw- 1 toto toto 13 oct.  28 12:01 essai

+ uname -a
Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 
2021 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groupes=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groupes=1000(toto),999(ubuntu)
+ ls -ld /home/ubuntu
drwxr-xr-x 15 ubuntu ubuntu 440 oct.  28 12:17 /home/ubuntu
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:18 essai
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 7 oct.  28 12:18 essai
+ ls -l essai
-rw----rw- 1 toto ubuntu 10 oct.  28 12:18 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 10 oct.  28 12:18 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 10 oct.  28 12:18 essai
+ ls -l essai
-rw----rw- 1 toto toto 13 oct.  28 12:18 essai

+ uname -a
Linux ubuntu 5.11.0-27-generic #29~20.04.1-Ubuntu SMP Wed Aug 11 15:58:17 UTC 
2021 x86_64 x86_64 x86_64 GNU/Linux
+ id
uid=999(ubuntu) gid=999(ubuntu) 
groupes=999(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),132(lxd),133(sambashare)
+ id toto
uid=1000(toto) gid=1000(toto) groupes=1000(toto),999(ubuntu)
+ ls -ld /tmp
drwxrwxrwt 18 root root 420 oct.  28 12:17 /tmp
/home/ubuntu/test-perms: line 25: essai: Permission denied
+ ls -l essai
-rw-rw---- 1 toto ubuntu 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw-rw-rw- 1 toto ubuntu 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 toto ubuntu 4 oct.  28 12:16 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 toto toto 4 oct.  28 12:16 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 toto toto 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 toto toto 4 oct.  28 12:16 essai
/home/ubuntu/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?

+ uname -a
Linux eyak 5.14.0-3-amd64 #1 SMP Debian 5.14.12-1 (2021-10-14) x86_64 GNU/Linux
+ id
uid=1000(vdanjean) gid=1000(vdanjean) 
groupes=1000(vdanjean),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(fuse),104(scanner),111(netdev),112(bluetooth),131(wireshark),133(libvirt),141(systemd-journal),152(davfs2),155(sbuild),159(docker)
+ id cbardel
uid=1002(cbardel) gid=1002(cbardel) groupes=1002(cbardel),111(netdev)
+ ls -ld /home/vdanjean
drwxr-xr-x 293 vdanjean vdanjean 36864 28 oct.  14:24 /home/vdanjean
+ ls -l essai
-rw-rw---- 1 cbardel netdev 4 28 oct.  14:24 essai
+ ls -l essai
-rw-rw-rw- 1 cbardel netdev 7 28 oct.  14:24 essai
+ ls -l essai
-rw----rw- 1 cbardel netdev 10 28 oct.  14:24 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 cbardel cbardel 10 28 oct.  14:24 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 cbardel cbardel 10 28 oct.  14:24 essai
+ ls -l essai
-rw----rw- 1 cbardel cbardel 13 28 oct.  14:24 essai

+ uname -a
Linux eyak 5.14.0-3-amd64 #1 SMP Debian 5.14.12-1 (2021-10-14) x86_64 GNU/Linux
+ id
uid=1000(vdanjean) gid=1000(vdanjean) 
groupes=1000(vdanjean),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),103(fuse),104(scanner),111(netdev),112(bluetooth),131(wireshark),133(libvirt),141(systemd-journal),152(davfs2),155(sbuild),159(docker)
+ id cbardel
uid=1002(cbardel) gid=1002(cbardel) groupes=1002(cbardel),111(netdev)
+ ls -ld /tmp
drwxrwxrwt 367 root root 196608 28 oct.  14:24 /tmp
/tmp/test-perms: line 25: essai: Permission denied
+ ls -l essai
-rw-rw---- 1 cbardel netdev 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw-rw-rw- 1 cbardel netdev 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 cbardel netdev 4 28 oct.  13:33 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw---- 1 cbardel cbardel 4 28 oct.  13:33 essai
cat: essai: Permission non accordée
READ FORBIDEN OK
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN OK
+ ls -l essai
-rw-rw-rw- 1 cbardel cbardel 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?
+ ls -l essai
-rw----rw- 1 cbardel cbardel 4 28 oct.  13:33 essai
/tmp/test-perms: line 18: essai: Permission denied
WRITE FORBIDEN WHY?

--- End Message ---
--- Begin Message --- 
  Hi,

On 28/10/2021 15:24, Bastian Blank wrote:

On Thu, Oct 28, 2021 at 02:51:48PM +0200, Vincent Danjean wrote:

Do you confirm this is a bug? Do you want I look
for the first kernel in Debian with this regression?


It is not a bug, this are hardening settings.  See documentation about
the protected_regular setting in
https://www.kernel.org/doc/Documentation/sysctl/fs.txt


  Thanks. I was not aware of this and never see any documentation about it 
until now.
So, I'm closing the "bug".

  Regards,
    Vincent


Those are enabled by default and apply to all sticky directories, so
mostly /tmp and /var/tmp.

Bastian

--- End Message ---

Reply via email to