From owner-freebsd-jail@FreeBSD.ORG Thu Apr 8 09:10:05 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BCA4106564A for ; Thu, 8 Apr 2010 09:10:05 +0000 (UTC) (envelope-from jille@quis.cx) Received: from mulgore.hexon-is.nl (mulgore.hexon-is.nl [82.94.237.14]) by mx1.freebsd.org (Postfix) with ESMTP id DC8248FC19 for ; Thu, 8 Apr 2010 09:10:04 +0000 (UTC) Received: from adidas.hexon-nijmegen.nl (gw.hexon-nijmegen.nl [82.93.241.107]) by mulgore.hexon-is.nl (8.14.3/8.14.3) with ESMTP id o388a2ww010720; Thu, 8 Apr 2010 10:36:02 +0200 Received: from [10.0.0.142] (HENK.hexon-nijmegen.nl [10.0.0.142]) by adidas.hexon-nijmegen.nl (8.14.3/8.14.3) with ESMTP id o388a112029748; Thu, 8 Apr 2010 10:36:01 +0200 Message-ID: <4BBD9569.9090901@quis.cx> Date: Thu, 08 Apr 2010 10:35:53 +0200 From: Jille Timmermans User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: "Erich Jenkins, Fuujin Group Ltd" References: <4BBD9C6A.9020404@fuujingroup.com> In-Reply-To: <4BBD9C6A.9020404@fuujingroup.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Hexon-MailScanner-Information: Please contact the ISP for more information X-Hexon-MailScanner-ID: o388a2ww010720 X-Hexon-MailScanner: Found to be clean X-Hexon-MailScanner-From: jille@quis.cx X-Hexon-MailScanner-Watermark: 1271320564.32737@UNWlf2xYgX00oIK9ZrDKUA Cc: freebsd-jail@freebsd.org Subject: Re: file permissions and user access X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2010 09:10:05 -0000 For deleting files you need write permission on the directory the file is in. The permissions of the file itself won't matter. -- Jille Op 8-4-2010 11:05, Erich Jenkins, Fuujin Group Ltd schreef: > I've gone through the archives for the Jail list, and I'm not finding > anything specific to the issue we're experiencing. My apologies if this > is a known issue or if I've done something daft, but there appears to be > a file permission issue with jails. > > We have a large deployment of jailed systems, and an issue was brought > to my attention today that I hope very much is the result of a > misconfiguration or other mistake. > > Background: > > Environment is FreeBSD 7.0-REL and 8.0-REL > Platforms include i386 (x86 Xeon), amd64 (Opteron) and sparc64 (Netra X1's) > Jail environment is a Complete jail, not an application jail > > Situation: > > A user managed to kill an apache process today, resulting in their > virtual web server (in a jail) going down. The user does not have root > privileges on this box, and is not a member of wheel. Upon inspection, I > found that the user had deleted a config file that was owned by root > (chmod 700). It appears they were not able to read the file, but they > were able to delete it which I confirmed with the user. > > Test: > > To verify what appeared to be happening, I created a file in the users > home directory (typed some garbage into a text file) owned by root (700) > and in the wheel group. I then logged into the users account via ssh as > that user. I attempted to su to root, which I could not (as expected). I > tried to read the file and could not (as expected). Then I tried to > delete the file. Bingo. File was gone. > > I also tried this via FTP using their account and the same thing > happened. I could delete the file, but could not transfer it, nor open it. > > Any thoughts on this would be greatly appreciated. I've tried this in > the lab and on some production boxes, and this appears to affect 7.0-REL > and 8.0-REL (the only versions in the environment). This also does not > appear to be specific to any particular architecture as I have tested on > sparc64, amd64 and i386 boxes. >