Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 455773 - Ownership of any file can be changed using vi
Summary: Ownership of any file can be changed using vi
Alias: None
Product: Fedora
Classification: Fedora
Component: vim
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Karsten Hopp
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-07-17 17:24 UTC by Stewart Adam
Modified: 2008-07-18 09:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-07-17 17:32:53 UTC

Attachments (Terms of Use)

Description Stewart Adam 2008-07-17 17:24:41 UTC
Description of problem:
By using vi, the ownership of files can be changed to the current user simply by
opening, forcing a write and quitting vi.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. su -c "touch testfile"
2. chmod 600 testfile
3. vi testfile
4. :wq!
5. ls -l testfile
Actual results:
The ownership of the file is changed to the current user

Expected results:
File ownership does not change

Additional info:
Even works on system libraries in /lib, this is a pretty bad security bug!

Comment 1 Stewart Adam 2008-07-17 17:32:53 UTC
Nevermind, it doesn't work in /lib, only in folders you have write access to. I
had copied libc to ~, which is why it worked.

Comment 2 Lukasz Lancucki 2008-07-17 21:44:15 UTC
It's even wore.
I did the test with not empty file and file has been overwritten!

Comment 3 Karsten Hopp 2008-07-18 00:14:21 UTC
That's how directory permissions work. Check out the permissions of your current
working directory (ls -ld .) and I'd bet that you're the owner of that directory.
From 'info libc':
The owner of the directory can delete any file in the directory, no matter who
owns it (provided the owner has given himself write permission for the directory).

Comment 4 Lukasz Lancucki 2008-07-18 09:21:20 UTC
OK, so the way it is working in Fedora 8 updated to current versions of packages
is after opening of a file owned by somebody else with vi and saving it with w!
command you are overwriting the file with empty one. In Fedora 9 as well updated
to current versions of packages you are able to change the owner of the file by
opening it in vi and saving with w! and file is not changing its content. I am
wondering which behaviour is better?
I think it is not consistent, because you can't do the same using standard linux
tools like chown. It's looks like hack.(In reply to comment #3)

Note You need to log in before you can comment on or make changes to this bug.