How does vim steal root owned files

permissionsvim

Witness the following:

sh-3.2$ mkdir testcase
sh-3.2$ cd testcase
sh-3.2$ sudo touch temp
sh-3.2$ ls -al
total 0
drwxr-xr-x   3 glen  staff  102 19 Dec 12:38 .
drwxr-xr-x  12 glen  staff  408 19 Dec 12:38 ..
-rw-r--r--   1 root  staff    0 19 Dec 12:38 temp

sh-3.2$ echo nope > temp
sh: temp: Permission denied

sh-3.2$ vim temp
# inside vim
itheivery
# press [ESC]
:wq!
# vim exits

sh-3.2$ ls -al
total 8
drwxr-xr-x   3 glen  staff  102 19 Dec 12:38 .
drwxr-xr-x  12 glen  staff  408 19 Dec 12:38 ..
-rw-r--r--   1 glen  staff    7 19 Dec 12:38 temp

Somehow vim has taken this root-owned file, and changed it into a user owned file!

This only seems to work if the user owns the directory – but it still feels like it shouldn't be possible. Can anyone explain how this is done?

Best Answer

You, glen, are the owner of the directory (see the . file in your listing). A directory is just a list of files and you have the permission to alter this list (e.g. add files, remove files, change ownerships to make it yours again, etc.). You may not be able to alter the contents of the file directly, but you can read and unlink (remove) the file as a whole and add new files subsequently.¹ Only witnessing the before and after, this may look like the file has been altered.

Vim uses swap files and moves files around under water, so that explains why it seems to write to the same file as you do in your shell, but it's not the same thing.²

So, what Vim does, comes down to this:

cat temp > .temp.swp          # copy file by contents into a new glen-owned file
echo nope >> .temp.swp        # or other command to alter the new file
rm temp && mv .temp.swp temp  # move temporary swap file back

¹_{This is an important difference in file permission handling between Windows and Unices. In Windows, one is usually not able to remove files you don't have write permission for.}

² update: as noted in the comments, Vim does not actually do it this way for changing the ownership, as the inode number on the temp file does not change (comaring ls -li before and after). Using strace we can see exactly what vim does. The interesting part is here:

open("temp", O_WRONLY|O_CREAT|O_TRUNC, 0664) = -1 EACCES (Permission denied)
unlink("temp")                               = 0
open("temp", O_WRONLY|O_CREAT|O_TRUNC, 0664) = 4
write(4, "more text bla\n", 14)              = 14
close(4)                                     = 0
chmod("temp", 0664)                          = 0

This shows that it only unlinks, but does not close the file descriptor to temp. It rather just overwrites its whole contents (more text bla\n in my case). I guess this explains why the inode number does not change.

Related Solutions

Freebsd – Read files owned by another user as non-root

Use sudo.

If your sudoers file lists an exact and specific command then the command must be called exactly as listed in the sudoers or it will be denied.

E.g.:

backupuser  ALL=(root) /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

In this example the user backup can execute the command exactly as shown:

sudo /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

If they call sudo rsync... instead of sudo /usr/bin/rsync the command fails, or if the flags or paths are different the command fails.

If you're doing this in a script then you want to enable passwordless use of those commands:

backupuser  ALL=(root) NOPASSWD: /usr/bin/rsync -aH /files/to/backup/ /copy/of/backup/

For more see the sudoers(5) man page under Cmnd_list.

Run a binary owned by root without sudo

Since you have read permission:

$ cp ~/binary_program my_binary
$ chmod +x my_binary
$ ./my_binary

Of course this will not auto-magically grant you escalated privileges. You would still be executing that binary as a regular user.

Best Answer

Related Solutions

Freebsd – Read files owned by another user as non-root

Run a binary owned by root without sudo

Related Question