Unexpected change of file owner:group

Paul Howarth paul at city-fan.org
Fri Jan 20 08:41:31 UTC 2006 

On Thu, 2006-01-19 at 20:01 -0600, J. K. Cliburn wrote:
> Mikkel L. Ellertson wrote:
> > J. K. Cliburn wrote:
> > 
> >>I'm seeing some file ownership behavior that concerns me.  Near as I can
> >>tell, a non-root user who's a member of a group can change ownership of
> >>a file that's owned by another member of the same group, even if the
> >>group perms for the file are read-only.  I need to know if this is
> >>expected behavior.  I also saw the behavior today in SLES9, although I
> >>need to verify the details more carefully tomorrow.
> >>
> >>On my Fedora machine I added my non-root self to group "users", then, as
> >>root, created a directory with root:users ownership.  I then added a
> >>file inside that directory called "junk" with 644 perms and owned by
> >>root:users.  Next, as myself (non-root) I opened the file with vi and
> >>was able to save changes to it.  When I exit the file, it's no longer
> >>owned by root: it's owned by my non-root account.  Behold:
> >>
> > 
> > If you look, you will probably find the original file, owned by
> > root, renamed to junk~. What is going on is that when vi saves the
> > file, it first renames the original file to <filename>~ and then
> > saves the edited version as <filename>. Because the user had write
> > permission to the directory, they could rename the original file,
> > and save a new file with the original name. But it is owned by the
> > user that saved the file.
> > 
> > Mikkel
> 
> I don't think so.  The ~ file isn't there, and the resulting file has 
> the same inode number as the one root owned.
> 
> [root at osprey test]# chown root:users junk
> [root at osprey test]# ls -ali junk
> 3074181 -rw-r--r--  1 root users 56 Jan 19 19:56 junk
> [root at osprey test]#
> 
> 
> [jcliburn at osprey test]$ vi junk
> [jcliburn at osprey test]$ ls -ali
> total 12
> 3074178 drwxrwx---   2 root     users    4096 Jan 19 19:57 .
>        2 drwxrwxrwx  12 root     root     4096 Jan 19 19:01 ..
> 3074181 -rw-r--r--   1 jcliburn jcliburn   80 Jan 19 19:57 junk
> [jcliburn at osprey test]$

If the directory is group-writable, any member of the group can achieve
the same result by doing:

$ cp junk junk.new
$ rm junk
$ mv junk.new junk

This doesn't explain the same inode number though. Try a slightly
different experiment, where you make a hard link to the original file
and then edit it. Do both versions of the file get their ownership
changed?

Paul.

More information about the fedora-list mailing list