Re: /tmp permissions, I don't get this...

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: OpenBSD misc <misc@...>

Subject: Re: /tmp permissions, I don't get this...

Date: Saturday, November 3, 2007 - 10:54 am

On Sat, 3 Nov 2007, Daniel wrote:
> Hi!

quoted text>

> Case 1:

> $ id

> uid=1000(leva) gid=1000(leva) groups=1000(leva)

> $ ls -ld /tmp/

> drwx----wt  4 root  wheel  512 Nov  3 13:05:03 2007 /tmp//

> $ touch /tmp/test && ls -l /tmp/test

> -rw-r-----  1 leva  wheel  0 Nov  3 13:09:04 2007 /tmp/test

> $ rm /tmp/test && ls -l /tmp/test

> ls: /tmp/test: No such file or directory

>

> I can create and remove files in and from the /tmp directory. This is

> the expected behaviour (at least for me).

>

>

> Case 2 (I've added myself to the wheel group):

> $ id

> uid=1000(leva) gid=1000(leva) groups=1000(leva), 0(wheel)

> $ ls -ld /tmp/

> drwx----wt  4 root  wheel  512 Nov  3 13:05:03 2007 /tmp//

> $ touch /tmp/test

> touch: /tmp/test: Permission denied

>

> ^^^ I can not create the file in /tmp, although I got world write

> permissions to it. It seems if I'm in the wheel group and the wheel

> group owns the directory, then only the group permissions counts?

> (sounds lame, but I can not think of other reasons).

> After changing the /tmp directory's group permissions to -wx, I can

> create and remove files from it while I'm in the wheel group.

>

> What could cause this behaviuour?
Evidently, the permission check moves left to right, so to speak.
Case1, can you do it as user (root)? No.  Can you do it as group

(wheel)?  You're not in group wheel, ignore group permissions. Can

you do it as other?  Yes.  (with the added features of the sticky

(man 8 sticky) bit.)
Case 2, you're denied by the group permissions.  Evidently creat

or stat or whatever bails out at this point.
The permissions 1703 (rwx----wt) *do* state that group wheel should

have no access to /tmp.  
So this looks like "expected operation".  1703 is a fairly weird

set of permissions, giving "other" more privilege than the group.
This might be useful, though, if you wanted a directory from

which members of group "leper" were excluded.
Are SysV, Posix, Linux and Old BSD semantics all the same here?

(I dunno).
Use 1777 and be happy.
Oh -- don't think of it as "world".  The proper term is "other".

You've given an example where that is relevant. (user-group-other).

If you're "user" or "group", you're not an "other".
Dave

--

      You don't have to like businessmen to like capitalism.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

/tmp permissions, I don't get this..., Daniel, (Sat Nov 3, 8:14 am)

Re: /tmp permissions, I don't get this..., Woodchuck, (Sat Nov 3, 10:54 am)

Re: /tmp permissions, I don't get this..., Marc Espie, (Sat Nov 3, 10:13 am)

Re: /tmp permissions, I don't get this..., Daniel, (Sat Nov 3, 10:47 am)

Re: /tmp permissions, I don't get this..., Antoine Jacoutot, (Sat Nov 3, 9:12 am)

Re: /tmp permissions, I don't get this..., Daniel, (Sat Nov 3, 10:08 am)


linux-kernel:
Christoph Lameter	Re: [RFC 00/15] x86_64: Optimize percpu accesses
Linus Torvalds	Re: [Patch v2] Make PCI extended config space (MMCONFIG) a driver opt-in
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
git:

openbsd-misc:

linux-netdev:
David Miller	[GIT]: Networking
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Christoph Hellwig	Re: [PATCH 06/32] IGET: Mark iget() and read_inode() as being obsolete [try #2]
Gerrit Renker	[PATCH 26/37] dccp: Integration of dynamic feature activation - part 1 (socket set...

Re: /tmp permissions, I don't get this...

Online users