Date: Sun, 22 Mar 2020 04:03:55 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 244967] pw userdel will delete a home directory not owned by the user (if it is empty) Message-ID: <bug-244967-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D244967 Bug ID: 244967 Summary: pw userdel will delete a home directory not owned by the user (if it is empty) Product: Base System Version: 12.1-RELEASE Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: eric@erichanneken.com Created attachment 212604 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D212604&action= =3Dedit Patch to pw(8) According to the man page for pw(8), pw userdel -n name -r will only remove files and directories that are actually owned by the user, or symbolic links owned by anyone under the user's home directory. The man page for rmuser(8), which wraps pw(8), makes a similar promise. In reality, the ownership check is performed only for files in the user's home directory. The home directory itself, and any subdirectories, are deleted without regard to who owns them. In most cases this is harmless because a directory not owned by the user will usually also contain files not owned by the user. pw won't delete the files, and its attempt to remove a non-empty directory will fail. But if the other-owned home directory is empty (or if its files are weirdly= all owned by the user being deleted), pw will delete it: # mkdir /var/shared # ls -ld /var/shared drwxr-xr-x 2 root wheel 2 Mar 21 23:40 /var/shared # pw useradd -n testuser1 -d /var/shared # pw useradd -n testuser2 -d /var/shared # grep 'testuser' /etc/passwd testuser1:*:1002:1002:User &:/var/shared:/bin/sh testuser2:*:1003:1003:User &:/var/shared:/bin/sh # pw userdel -n testuser1 -r # grep 'testuser' /etc/passwd testuser2:*:1003:1003:User &:/var/shared:/bin/sh # ls -ld /var/shared ls: /var/shared: No such file or directory I have attached a patch which adds the ownership check to directories. It w= as made against revision 359195. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-244967-227>