Common Permission Error
March 12, 2007 Leave a comment
One extremely important part of using any multi-user Operating System is correctly understanding permissions. Over the past couple years, I have been administering a Linux server with a lot of users, and there is one error that has popped up over and over again. A lot of users forget or don’t realize that permission to delete a file from a directory is determined by the write flag of the directory, not the write flag of the file.
Take this scenario: Bob is an unprivileged user on a LAMP box and he is hosting a dynamic website. He wants to allow changes to folders within his public_html directory so he can do things like upload templates, media, etc. However, the apache user is not Bob, it is something like www-data. As an unprivileged user, Bob cannot chown or chgrp a directory to a group he doesn’t belong to. He might think about contacting the sysadmin, but more likely he chmods the directories to be a+w, and is careful to make the files not have the write flag (assuming that this is what determines if a file can be deleted or not). This is an incorrect assumption, and he is leaving his files to be deleted by whoever else has an account on the server.
bob@lamp:~$ ls -l #note the test directory has o+w
drwxrwxrwx 2 bob stupid 4096 2008-07-01 10:27 test
bob@lamp:~$ cd test/
bob@lamp:~/test$ ls -l myfile #note that myfile does not have o+w
-rw-r–r– 1 lundeen2 stupid 5 2008-07-01 10:28 myfile
bob@lamp:~/test$ su otheruser
otheruser@lamp:~/test$ rm myfile #other random users are able to delete this file
rm: remove write-protected regular file `myfile’? y
otheruser@lamp:~/test$ ls -l
There are several ways to handle Bob’s situation. Bob could ask a privileged user to add him to the www-data group (though this won’t work very well if all the users are part of this group) or he could ask the admin to setattr +i the file to make it undeletable (though he himself could not delete it afterward). A better way would probably be for Bob to use acls (eg setfacl) or to set the sticky bit on the directory (chmod +t). The sticky bit might be good enough, as it is probably what Bob wanted in the first place – for other users besides himself to be able to write to his directory, but not giving those users a chance to delete his or www-data’s files. Using acls is probably best, but can also be slightly more complicated.
While the behavior of permissions may be obvious to a system administrator, to an average user, it seems it is not. In my weekly cron scripts I have a “find / -type d ( -perm -o+w -perm 1000 )” to search for all files with this permission.