-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Mar 07, 2018 at 11:54:43AM +0100, epsilon...@tutanota.com wrote: > 7. Mar 2018 11:27 by to...@tuxteam.de: > > > I can't reproduce, either. Once the chown to root happens, non-root > > user can't touch files in directory. Ext4. > > I double checked. Sorry the previous example was not good. To reproduce the > issue, you have to create another directory inside the top one. Here is a > working example: > > # terminal A > > su > > mkdir /opt/experiment/ > > chown aristo:aristo /opt/experiment > > mkdir /opt/experiment/apple > > chown aristo:aristo /opt/experiment/apple > > # terminal B, > > whoami # aristo > > cd /opt/experiment/apple > > touch aaa # OK
So far so good. Not surprising, IMO. > # terminal A > > chown root:root /opt/experiment > > chmod 700 /opt/experiment > > > > > # terminal B > > pwd # Gives /opt/experiment/apple > > > touch bbb # OK bbb is created Also OK. Or is that surprising to you? Aristo has write permissions for apple. > cd /opt/experiment/apple # Gives permission denied That's also OK. While aristo has permissions for apple (x is relevant here), it hasn't for experiment, so it can't "traverse" it. > # new terminal C > > cd /opt/experiment/apple # Denied > > touch /opt/experiment/apple/ccc # Denied Same as above: the resolution of the whole path requires traversing each path's element in turn, and it fails at "experiment". There's even a man page for that: see "man path_resolution" (part of the manpages package). > Note that, after chmod 700, in terminal B you can still create files, > although you cannot cd into apple. Yes, it is supposed to work like that. Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlqfx8YACgkQBcgs9XrR2kYdEQCdFdtZP3/AlpzwuUtWJSu8T9V3 fb4An3WxROamXckNGTdH8FRaO9H1IFfo =MbqQ -----END PGP SIGNATURE-----