Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...The enviroment is simple, natural and efficient. The members are competent, educated and professionals..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > MIS/IT > Operating Systems - UNIX based > Linux (server) Forum

user may chown files to anyone else???Helpful Member! 

thread54-1635566
Read More Threads Like This One
exsnafu (TechnicalUser)
24 Jan 11 13:09
I have a weird one and at this point i'm not sure if its a bug or a feature.

i have two NFS mountpoints from two different Netapp filers.

on one netapp filer mountpoint, a user who owns the mountpount directory may create a file in the mountpoint and then chown that file to any other user(including root). ie:

CODE

eddprf@server:/eddprf > ls -la
total 32
drwxrwxrwx    4 eddprf   eddprf         4096 Jan 21 10:22 .
drwxr-xr-x   51 root     system         4096 Jan 21 12:44 ..
eddprf@server:/eddprf > touch testfile
eddprf@server:/eddprf > ls -la
total 32
drwxrwxrwx    4 eddprf   eddprf         4096 Jan 24 10:59 .
drwxr-xr-x   51 root     system         4096 Jan 21 12:44 ..
-rw-rw-r--    1 eddprf   eddprf            0 Jan 24 10:59 testfile
eddprf@server:/eddprf > chown root testfile
eddprf@server:/eddprf > ls -la
total 32
drwxrwxrwx    4 eddprf   eddprf         4096 Jan 24 10:59 .
drwxr-xr-x   51 root     system         4096 Jan 21 12:44 ..
-rw-rw-r--    1 root     eddprf            0 Jan 24 10:59 testfile
eddprf@server:/eddprf > rm testfile
eddprf@server:/eddprf > ls -la
total 32
drwxrwxrwx    4 eddprf   eddprf         4096 Jan 24 10:59 .
drwxr-xr-x   51 root     system         4096 Jan 21 12:44 ..
eddprf@server:/eddprf >

but on any other netapp filer or local jfs2 mountpoints(like say /tmp), this ability is prohibited as i would expect, regardless of the permissions on the directory(far as i can tell!)

at this point we can't find any difference in the way this mountpoint is mounted or created on the netapp side.. the netapp versions between two filers are the same, the qtrees have the same export rules and both are mounted with the same options.. yet different results

is there some rule that in AIX a user should be allowed to do this in some cases?

 
Noway2 (Programmer)
24 Jan 11 17:10
Do you have any application like SELinux or Apparmor that is preventing or limiting the permissions on the /tmp directory?
 
AvayaTier3 (TechnicalUser)
25 Jan 11 12:22
You have shown an example of the change that is allowed.

Can you show the change that is not allowed along with the directories, ownership, permissions and returned errors?

 

A great teacher, does not provide answers, but methods to teach others "How and where to find the answers"

bsh

37 years Bell, AT&T, Lucent, Avaya
Tier 3 for 27 years and counting
http://bshtele.com

Helpful Member!  exsnafu (TechnicalUser)
25 Jan 11 12:40
directories, ownership, permissions don't appear to make any difference.

at this point i've got a call open with ibm and after some traces they believe somehow the netapp filer is allowing this... although still investigating. i had kind of figured this would be more of an OS control..

CODE

[362][server]:/home/jquainta> cd /test1
[363][server]:/test1> ls -ld .
drwxr-xr-x    2 jquainta sysadmin       4096 Jan 25 09:48 .
[364][server]:/test1> touch gollum
[365][server]:/test1> ls -la
total 16
drwxr-xr-x    2 jquainta sysadmin       4096 Jan 25 10:32 .
drwxr-xr-x   53 root     system         4096 Jan 25 10:27 ..
-rw-r--r--    1 jquainta sysadmin          0 Jan 25 10:32 gollum
[366][server]:/test1> chown root gollum
[367][server]:/test1> ls -la
total 16
drwxr-xr-x    2 jquainta sysadmin       4096 Jan 25 10:32 .
drwxr-xr-x   53 root     system         4096 Jan 25 10:27 ..
-rw-r--r--    1 root     sysadmin          0 Jan 25 10:32 gollum
[368][server]:/test1> cd /test2
[369][server]:/test2> ls -ld .
drwxr-xr-x    3 jquainta sysadmin       4096 Jan 25 09:48 .
[370][uscobrmfa-at-02]:/test2> touch wormtongue
[371][server]:/test2> ls -la
total 32
drwxr-xr-x    3 jquainta sysadmin       4096 Jan 25 10:32 .
drwxr-xr-x   53 root     system         4096 Jan 25 10:27 ..
-rw-r--r--    1 jquainta sysadmin          0 Jan 25 10:32 wormtongue
[372][server]:/test2> chown root wormtongue
chown: wormtongue: Operation not permitted.
[373][server]:/test2>
[374][uscobrmfa-at-02]:/test2> mount|grep test
gollum-nas /vol/documentum/jefftest1 /test1           nfs3   Jan 25 10:30
wormtongue-nas /vol/PRTvol01/jefftest1 /test2           nfs3   Jan 25 10:31
[375][uscobrmfa-at-02]:/test2>

and no, the filers don't have any UID/user mapping, the two filers are at the same OS/firmware levels, same /etc/passwd, same exports.


 
exsnafu (TechnicalUser)
25 Jan 11 12:43
and oops. after reading the SElinux post with some confusion i realized i posted this to the wrong forum. i meant to post it in AIX. :D

ah well, i don't see any way to move it.
exsnafu (TechnicalUser)
25 Jan 11 13:43
and as a final post to this misplaced thread, we found the root cause. I'll post it here because it turns out to affect linux just as easily as AIX(both normally disallow this behavior and many others I suspect also normally only allow root to chown)

on one of the netapp filers we had an option called "options wafl.root_only_chown" enabled. learn something new everyday.
KenCunningham (TechnicalUser)
26 Jan 11 5:20
Worth a star for completing the picture exsnafu!

The internet - allowing those who don't know what they're talking about to have their say.

Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Linux (server)

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close