/
delete.test
82 lines (66 loc) · 1.99 KB
/
delete.test
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
$ mkdir d
$ cd d
$ whoami
> root
$ id -Gn daemon
> daemon bin
$ mkdir n1
$ touch n1/f n1/g
$ chmod o+w n1/g
$ mkdir d2 d3 d4 d5 d6 d7
$ touch d2/f d3/f d4/f d5/f d6/f d7/f d7/g
$ chown daemon d2
$ chgrp bin d3
$ chmod g+w d3
$ richacl --set 'daemon:wx::allow' d4
$ richacl --set 'daemon:d::allow' d5
$ richacl --set 'daemon:xd::allow' d6
$ richacl --set 'daemon:D::allow' d7/f d7/g
$ chmod 664 d7/g
$ mkdir s2 s3 s4 s5 s6 s7
$ chmod +t s2 s3 s4 s5 s6 s7
$ touch s2/f s3/f s4/f s5/f s6/f s7/f s7/g
$ chown daemon s2
$ chgrp bin s3
$ chmod g+w s3
$ richacl --set 'daemon:wx::allow' s4
$ richacl --set 'daemon:d::allow' s5
$ richacl --set 'daemon:xd::allow' s6
$ richacl --set 'daemon:D::allow' s7/f
$ richacl --set 'daemon:D::allow' s7/g s7/g
$ chmod 664 s7/g
$ su daemon
Cannot delete files without permissions:
$ rm n1/f
> rm: cannot remove `n1/f': Permission denied
Cannot delete files without permissions:
$ rm n1/g
> rm: cannot remove `n1/g': Permission denied
Can delete files we own:
$ rm d2/f s2/f
Cannot delete files where we are in the owning group in a non-sticky directory,
but not in a sticky one:
$ rm d3/f s3/f
> rm: cannot remove `s3/f': Operation not permitted
"Write_data/execute" access does not include delete_child access, and so this
is not enough for deleting:
$ rm d4/f s4/f
> rm: cannot remove `d4/f': Permission denied
> rm: cannot remove `s4/f': Permission denied
"Delete_child" access alone also is not sufficient:
$ rm d5/f s5/f
> rm: cannot remove `d5/f': Permission denied
> rm: cannot remove `s5/f': Permission denied
"Execute/delete_child" on the directory does allow that, though, but only in
a non-sticky directory:
$ rm d6/f s6/f
> rm: cannot remove `s6/f': Operation not permitted
"Delete" on the child itself overrides the sticky check as well:
$ rm d7/f s7/f
But Delete is not a subset of POSIX read/write, so chmod turns it off:
$ rm d7/g s7/g
> rm: cannot remove `d7/g': Permission denied
> rm: cannot remove `s7/g': Permission denied
$ su
$ cd ..
$ rm -rf d