file permissions and user access
jille at quis.cx
Thu Apr 8 09:10:05 UTC 2010
For deleting files you need write permission on the directory the file is in.
The permissions of the file itself won't matter.
Op 8-4-2010 11:05, Erich Jenkins, Fuujin Group Ltd schreef:
> I've gone through the archives for the Jail list, and I'm not finding
> anything specific to the issue we're experiencing. My apologies if this
> is a known issue or if I've done something daft, but there appears to be
> a file permission issue with jails.
> We have a large deployment of jailed systems, and an issue was brought
> to my attention today that I hope very much is the result of a
> misconfiguration or other mistake.
> Environment is FreeBSD 7.0-REL and 8.0-REL
> Platforms include i386 (x86 Xeon), amd64 (Opteron) and sparc64 (Netra X1's)
> Jail environment is a Complete jail, not an application jail
> A user managed to kill an apache process today, resulting in their
> virtual web server (in a jail) going down. The user does not have root
> privileges on this box, and is not a member of wheel. Upon inspection, I
> found that the user had deleted a config file that was owned by root
> (chmod 700). It appears they were not able to read the file, but they
> were able to delete it which I confirmed with the user.
> To verify what appeared to be happening, I created a file in the users
> home directory (typed some garbage into a text file) owned by root (700)
> and in the wheel group. I then logged into the users account via ssh as
> that user. I attempted to su to root, which I could not (as expected). I
> tried to read the file and could not (as expected). Then I tried to
> delete the file. Bingo. File was gone.
> I also tried this via FTP using their account and the same thing
> happened. I could delete the file, but could not transfer it, nor open it.
> Any thoughts on this would be greatly appreciated. I've tried this in
> the lab and on some production boxes, and this appears to affect 7.0-REL
> and 8.0-REL (the only versions in the environment). This also does not
> appear to be specific to any particular architecture as I have tested on
> sparc64, amd64 and i386 boxes.
More information about the freebsd-jail