libc6: Ordinary user can delete files owned by other user, root files too.

Automatically imported from Debian bug report #280632 http://bugs.debian.org/280632

Message-Id: <email address hidden>
Date: Wed, 10 Nov 2004 17:30:13 +0100
From: Michal Zimen <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libc6: Ordinary user can delete files owned by other user, root files too.

Package: libc6
Version: 2.3.2.ds1-18
Severity: critical
Justification: breaks the whole system

  normal user can delete files, which is not owned by him.

  try:
  x@y$ cd ~
  x@y$ su
  x@y# touch XXX
  x@y# chmod 700 XXX
  x@y# exit
  x@y$ rm -f XXX
  :) that file is deleted !!!

  I tried this problem on other kernels (2.6.8.1, 2.4.26) with the same
  result. (file was deleted)
  I am sure, that permissions is good, so that should not to be deleted.

  But, it is strange, that not each files can be deleted.

  for example: at /, /bin ..it is not possible,
  but at: /usr/bin/, ~/, /tmp it is really possible.

                        mizu

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-rc1-mm3-mizu
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages libc6 depends on:
ii libdb1-compat 2.1.3-7 The Berkeley database routines [gl

-- no debconf information

This is not a bug.

Message-ID: <004501c4c746$ce4b8370$01001eac@Wizard>
Date: Wed, 10 Nov 2004 18:00:25 +0100
From: "Roxik" <email address hidden>
To: "Michal Zimen" <email address hidden>, <email address hidden>
Subject: Re: Bug#280632: libc6: Ordinary user can delete files owned by other user,
 root files too.

> normal user can delete files, which is not owned by him.
>
> try:
> x@y$ cd ~
> x@y$ su
> x@y# touch XXX
> x@y# chmod 700 XXX
> x@y# exit
> x@y$ rm -f XXX
> :) that file is deleted !!!
Yeah... But what owner of this file is ??

Look:
SRV:/home/ftp# ls -la
-rw------- 1 root root 166 2004-05-12 15:07 welcome.msg

wiesiek@SRV:~$ rm -f welcome.msg
rm: cannot remove `welcome.msg': Permission denied

>
> for example: at /, /bin ..it is not possible,
> but at: /usr/bin/, ~/, /tmp it is really possible.
Yeap.. because is owned as root, not x account in your example.

I never had any problems with remove non-owned files.
I sugest read manual of LS command :)

--
I greet
Wieslaw

----------------------------------------------------------------------
Startuj z INTERIA.PL!!! >>> http://link.interia.pl/f1837

Message-ID: <email address hidden>
Date: Wed, 10 Nov 2004 18:08:36 +0100
From: Andreas Barth <email address hidden>
To: Michal Zimen <email address hidden>, <email address hidden>
Subject: Re: Bug#280632: libc6: Ordinary user can delete files owned by other user, root files too.

* Michal Zimen (<email address hidden>) [041110 17:45]:
> normal user can delete files, which is not owned by him.

This is part of the defined unix behaviour. If you can delete a file
depends on the directory. If the user can write to the directory, he can
delete the file (with the exception if the directory is sticky, he need
also to own the file - but that's an later extension).

> but at: /usr/bin/, ~/, /tmp it is really possible.

I doubt that it works in /tmp on a regular debian system, also that it
works in /usr/bin, and in ~ by someone else than the user whose home
directory it is. If it does on your system, please show ls -ld of the
directory.

Cheers,
Andi
--
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C