Change ownership of directory owned by root

files permissions directory ownership
8,499

The owner of a directory can change the contents of the directory however they want. Even if there's a file in the directory that the directory owner isn't allowed to write, the directory owner can remove that file and create a new file by the same name.

More generally, if you have write permission to a directory, then you can remove and create files in that directory. Thus you can change files in that directory, not by writing to them if you don't have write permission on the file, but by deleting the existing file and creating a new file by the same name.

If you own a directory parent and it contains a subdirectory child that is owned by root and you don't have write permission on child, then you can't modify files in child. However, you can rename child and create a new subdirectory called child, which will be owned by you and thus can contain whatever you want.

This is why security checks that verify file control (e.g. the sanity checks that OpenSSH makes on private key files) verify the whole directory chain up to the root. Likewise, if you give a user sudo rights to run a file, the whole path to the file should be controlled by root. For example, don't give a user sudo rights to run a program that's under their home directory. (On the other hand, a setuid root program anywhere is fine, because setuid is attached to the file itself, not to its path.) Anyone who controls any intermediate step in the directory path can substitute their own content, not by editing the actual file, but by renaming a directory at the point in the path.

Share:
8,499
manifestor
Author by

manifestor

Updated on September 18, 2022

Comments

  • manifestor
    manifestor over 1 year

    As a non-privileged user, owning a directory on an EXT4 filesystem where I have all the necessary rights (rwx) gives me the possibility to change content and ownership of files (e.g. vim file and :w!) within it even if they are owned by root and even if I don't have the right to change them (root:root and 0644).

    Is that somehow possible with a directory owned by root if that directory is within a directory owned by my non-privileged user?

    • G-Man Says 'Reinstate Monica'
      G-Man Says 'Reinstate Monica' over 6 years
      What type of filesystem is it?   Please do not respond in comments; edit your question to make it clearer and more complete.
    • manifestor
      manifestor over 6 years
      @G-Man yes sure, I edited my question and added the FS-Type.
  • doneal24
    doneal24 over 6 years
    Editing the file should also not be permitted. Deleting it however is perfectly permissible.
  • manifestor
    manifestor over 6 years
    It is indeed possible, try vim file and then force the write with :w!.
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 6 years
    You can't change ownership of the existing file, but you can remove the file and create a new file by the same name and with the same content, owned by you.
  • manifestor
    manifestor over 6 years
    I gave sudo-rights to a shell-script in /home/${USER}/rootdir/ (where rootdir is owned by root:root with 0775) - so regarding your answer, even that is not secure, because ${USER} could rename the orginal rootdir, create a new directory with the same name rootdir and replace the script with it’s own version, which will pertain the same sudo-rights, correct?
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 6 years
    @chevallier You mean you gave a bob the right to run sudo /home/bob/rootdir/myscript? Indeed, that's insecure, because bob can do mv /home/bob/rootdir /home/bob/not.rootdir; mkdir /home/bob/not_rootdir; ln -s /bin/sh /home/bob/rootdir/myscript and then sudo /home/bob/rootdir/myscript will run sh as root.
  • Pankaj Goyal
    Pankaj Goyal over 6 years
    Neither of which are the stated scenario in the original question, since deleting and replacing a file and altering a file (or its properties) are different propositions.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Ubuntu File and folder permissions
How to allow users to create and delete file(s) / folder(s), but not modify them?
Getting access to var/www
Changing permissions for /var/www/html
What does the 's' in srwxr-xr-x in the 'ls' output mean?
Difference between executable directory vs executable files
How to make the newly created files inherit the directory's permissions...?
Can't rename a directory that I own
How to move a file to /usr/local in Ubuntu?
How to permanently change the file/directory permission