Unexpected change of file owner:group

J. K. Cliburn jcliburn at gmail.com
Fri Jan 20 01:40:49 UTC 2006 

I'm seeing some file ownership behavior that concerns me.  Near as I can 
tell, a non-root user who's a member of a group can change ownership of 
a file that's owned by another member of the same group, even if the 
group perms for the file are read-only.  I need to know if this is 
expected behavior.  I also saw the behavior today in SLES9, although I 
need to verify the details more carefully tomorrow.

On my Fedora machine I added my non-root self to group "users", then, as 
root, created a directory with root:users ownership.  I then added a 
file inside that directory called "junk" with 644 perms and owned by
root:users.  Next, as myself (non-root) I opened the file with vi and
was able to save changes to it.  When I exit the file, it's no longer 
owned by root: it's owned by my non-root account.  Behold:

[jcliburn at osprey ~]$ uname -a
Linux osprey 2.6.14-1.1656_FC4.netdev.8 #1 Wed Jan 11 23:24:33 EST 2006 
x86_64 x86_64 x86_64 GNU/Linux
[jcliburn at osprey ~]$ id
uid=500(jcliburn) gid=500(jcliburn) groups=100(users),500(jcliburn)
[jcliburn at osprey ~]$ cd /opt
[jcliburn at osprey opt]$ ls -l | grep test
drwxrwx---   2 root     users     4096 Jan 19 19:19 test
[jcliburn at osprey opt]$ cd test
[jcliburn at osprey test]$ ls -l
total 4
-rw-r--r--  1 root users 56 Jan 19 19:19 junk
[jcliburn at osprey test]$ cat junk
Hello there non-root mortal.  Can you modify this file?
[jcliburn at osprey test]$ chown jcliburn:jcliburn junk
chown: changing ownership of `junk': Operation not permitted
[jcliburn at osprey test]$ vi junk

##  Save changes within vi, then quit.  ##

[jcliburn at osprey test]$ ls -l
total 4
-rw-r--r--  1 jcliburn jcliburn 80 Jan 19 19:25 junk
[jcliburn at osprey test]$ cat junk
Hello there non-root mortal.  Can you modify this file?
Why yes, I think I can.
[jcliburn at osprey test]$

This means that any group member can take ownership of another group 
member's file -- even, as was demonstrated here, a file owned by root -- 
simply by using vi to edit the file!

It ain't supposed to be that way, right?  What am I overlooking?

Jay

p.s.  SELinux is disabled.

More information about the fedora-list mailing list