Public bug reported: In Focal (kernel 5.4), given the following scenario...
1. Directory owned by root:root with mode 1775 (sticky bit set) 2. File inside directory owned by www-data:www-data with mode 0664 3. fs.protected_regular set to non-0 value (the default is now 2) ... root is unable to write to the file if O_CREAT is set when opening it. Setting fs.protected_regular=0 works around the problem. This seems to be the result of this change: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5 It's not explicit in the commit message or documentation, but i wouldn't expect this restriction to apply to root... right? Replication: % lsb_release -sd; cat /proc/version_signature Ubuntu 20.04 LTS Ubuntu 5.4.0-29.33-generic 5.4.30 # Create directory and file % sudo -u www-data touch /tmp/myfile % \ls -ld /tmp /tmp/myfile drwxrwxrwt 13 root root 4096 May 6 11:18 /tmp -rw-rw-r-- 1 www-data www-data 0 May 6 11:18 /tmp/myfile # Write by owner: OK % sudo -u www-data sh -c 'whoami > /tmp/myfile' % cat /tmp/myfile www-data # Write by root, fs.protected_regular=2 (default): FAIL % sudo sysctl fs.protected_regular fs.protected_regular = 2 % sudo -u root sh -c 'whoami > /tmp/myfile' sh: 1: cannot create /tmp/myfile: Permission denied % cat /tmp/myfile www-data # Write by root, fs.protected_regular=1: FAIL # (NOTE: This one seems to succeed if /tmp/myfile is owned by www-data:root # instead of www-data:www-data) % sudo sysctl fs.protected_regular=1 fs.protected_regular = 1 % sudo -u root sh -c 'whoami > /tmp/myfile' sh: 1: cannot create /tmp/myfile: Permission denied % cat /tmp/myfile www-data # Write by root, fs.protected_regular=0: OK % sudo sysctl fs.protected_regular=0 fs.protected_regular = 0 % sudo -u root sh -c 'whoami > /tmp/myfile' % cat /tmp/myfile root ** Affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877151 Title: root unable to write to file in directory with sticky bit with fs.protected_regular set Status in linux package in Ubuntu: New Bug description: In Focal (kernel 5.4), given the following scenario... 1. Directory owned by root:root with mode 1775 (sticky bit set) 2. File inside directory owned by www-data:www-data with mode 0664 3. fs.protected_regular set to non-0 value (the default is now 2) ... root is unable to write to the file if O_CREAT is set when opening it. Setting fs.protected_regular=0 works around the problem. This seems to be the result of this change: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=30aba6656f61ed44cba445a3c0d38b296fa9e8f5 It's not explicit in the commit message or documentation, but i wouldn't expect this restriction to apply to root... right? Replication: % lsb_release -sd; cat /proc/version_signature Ubuntu 20.04 LTS Ubuntu 5.4.0-29.33-generic 5.4.30 # Create directory and file % sudo -u www-data touch /tmp/myfile % \ls -ld /tmp /tmp/myfile drwxrwxrwt 13 root root 4096 May 6 11:18 /tmp -rw-rw-r-- 1 www-data www-data 0 May 6 11:18 /tmp/myfile # Write by owner: OK % sudo -u www-data sh -c 'whoami > /tmp/myfile' % cat /tmp/myfile www-data # Write by root, fs.protected_regular=2 (default): FAIL % sudo sysctl fs.protected_regular fs.protected_regular = 2 % sudo -u root sh -c 'whoami > /tmp/myfile' sh: 1: cannot create /tmp/myfile: Permission denied % cat /tmp/myfile www-data # Write by root, fs.protected_regular=1: FAIL # (NOTE: This one seems to succeed if /tmp/myfile is owned by www-data:root # instead of www-data:www-data) % sudo sysctl fs.protected_regular=1 fs.protected_regular = 1 % sudo -u root sh -c 'whoami > /tmp/myfile' sh: 1: cannot create /tmp/myfile: Permission denied % cat /tmp/myfile www-data # Write by root, fs.protected_regular=0: OK % sudo sysctl fs.protected_regular=0 fs.protected_regular = 0 % sudo -u root sh -c 'whoami > /tmp/myfile' % cat /tmp/myfile root To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1877151/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
