Change ownership of directory owned by root
The owner of a directory can change the contents of the directory however they want. Even if there's a file in the directory that the directory owner isn't allowed to write, the directory owner can remove that file and create a new file by the same name.
More generally, if you have write permission to a directory, then you can remove and create files in that directory. Thus you can change files in that directory, not by writing to them if you don't have write permission on the file, but by deleting the existing file and creating a new file by the same name.
If you own a directory parent
and it contains a subdirectory child
that is owned by root and you don't have write permission on child
, then you can't modify files in child
. However, you can rename child
and create a new subdirectory called child
, which will be owned by you and thus can contain whatever you want.
This is why security checks that verify file control (e.g. the sanity checks that OpenSSH makes on private key files) verify the whole directory chain up to the root. Likewise, if you give a user sudo rights to run a file, the whole path to the file should be controlled by root. For example, don't give a user sudo rights to run a program that's under their home directory. (On the other hand, a setuid root program anywhere is fine, because setuid is attached to the file itself, not to its path.) Anyone who controls any intermediate step in the directory path can substitute their own content, not by editing the actual file, but by renaming a directory at the point in the path.
manifestor
Updated on September 18, 2022Comments
-
manifestor over 1 year
As a non-privileged user, owning a directory on an
EXT4
filesystem where I have all the necessary rights (rwx
) gives me the possibility to change content and ownership of files (e.g.vim file
and:w!
) within it even if they are owned by root and even if I don't have the right to change them (root:root
and0644
).Is that somehow possible with a directory owned by root if that directory is within a directory owned by my non-privileged user?
-
G-Man Says 'Reinstate Monica' over 6 yearsWhat type of filesystem is it? Please do not respond in comments; edit your question to make it clearer and more complete.
-
manifestor over 6 years@G-Man yes sure, I edited my question and added the FS-Type.
-
-
doneal24 over 6 yearsEditing the file should also not be permitted. Deleting it however is perfectly permissible.
-
manifestor over 6 yearsIt is indeed possible, try
vim file
and then force the write with:w!
. -
Gilles 'SO- stop being evil' over 6 yearsYou can't change ownership of the existing file, but you can remove the file and create a new file by the same name and with the same content, owned by you.
-
manifestor over 6 yearsI gave sudo-rights to a shell-script in
/home/${USER}/rootdir/
(whererootdir
is owned byroot:root
with0775
) - so regarding your answer, even that is not secure, because${USER}
could rename the orginalrootdir
, create a new directory with the same namerootdir
and replace the script with it’s own version, which will pertain the same sudo-rights, correct? -
Gilles 'SO- stop being evil' over 6 years@chevallier You mean you gave a bob the right to run
sudo /home/bob/rootdir/myscript
? Indeed, that's insecure, because bob can domv /home/bob/rootdir /home/bob/not.rootdir; mkdir /home/bob/not_rootdir; ln -s /bin/sh /home/bob/rootdir/myscript
and thensudo /home/bob/rootdir/myscript
will run sh as root. -
Pankaj Goyal over 6 yearsNeither of which are the stated scenario in the original question, since deleting and replacing a file and altering a file (or its properties) are different propositions.