Web lists-archives.com

Re: File permission confusion [Debian 9.1 with MATE]




Hi,

Richard Owlett wrote:
> As user "richard" I was able to delete them with Caja.

To prevent renaming or deletion of a file, you need to prevent writing
to the directory which hosts it. (Actually you delete the "dirent", which
points to the inode. The inode gets deleted when its last dirent is gone
and no filedescriptor is open on it any more.)

You may prevent writing either by taking away w-permission for everybody
  chmod a-w directory
or by preventing users from removing files which they don't own
  chmod +t directory
But the superuser will probably be able to override both of this without
the prior need to change the directory permissions.

There is
  chattr +i file
with some filesystems. I dimly remember we had a discussion about its
effectiveness a while ago ...


> Logged into Debian as "richard" SeaMonkey was able to change contents of
> those files.

It is a usual strategy against softlink spoofing to rename or delete the
original file and to store the changed content as new file.


Have a nice day :)

Thomas