sudo can't write to temp file

linux sudo

I'm trying to understand why sudo doesn't have permission here

touch fred.txt
/tmp$ ls -la fred.txt
-rw-rw-r-- 1 me me 0 Dec 12 15:40 fred.txt
/tmp$ sudo -i
~# cd /tmp
/tmp# echo hi >> fred.txt
-bash: fred.txt: Permission denied
/tmp# chmod 666 fred.txt
/tmp# ls -la fred.txt
-rw-rw-rw- 1 me me 0 Dec 12 15:40 fred.txt
/tmp# echo hi >> fred.txt
-bash: fred.txt: Permission denied
id
uid=0(root) gid=0(root) groups=0(root)

As I understand it the permission 666 should give owner, group and other permission to r/w to the file. Surly sudo which is acting as root as evidenced by the id command has access to the file under the 'other' permission.

What am I misunderstanding here?


It has something to do with this commit in the Linux kernel. Often /tmp is "world-writable" ("world" here means "others") and is "sticky":

$ stat /tmp/
...
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)
...

chmod(2):

...
S_ISVTX  (01000)  sticky bit (restricted deletion flag, as described in unlink(2))
...
S_IWOTH  (00002)  write by others
...

As mentioned in the commit message, it doesn't exactly prevent you from writing to an affected file, but from opening such a file with O_CREAT, which is a flag for open() that is typically set to trigger file creation if the target does not exist yet. Therefore, you can still write to an affected file with the flag unset (which can be done with dd):

# ls -l /tmp/meh 
-rwxrwxrwx 1 tom tom 0 Dec 12 17:33 /tmp/meh
# id
uid=0(root) gid=0(root) groups=0(root)
# echo test | dd of=/tmp/meh oflag=append conv=notrunc
dd: failed to open '/tmp/meh': Permission denied
# echo test | dd of=/tmp/meh oflag=append conv=notrunc,nocreat
0+1 records in
0+1 records out
5 bytes copied, 9.4981e-05 s, 52.6 kB/s
#

Note that it's purely about whether the flag is set, but not whether a file needs to be created, since in the case of concern, the file always exists.

Also note that, as mentioned in the commit message, the file could not be opened with O_CREAT not just because it was not owned by user that attempted to open it (root), but also because its owner (tom) is different from the owner (root) of the directory (/tmp). If /tmp/ were owned by tom as /tmp/meh was, root would have been able to open it with O_CREAT.

Also see this commit in systemd which enables the "protection" on distros that adopted it:

# sysctl fs.protected_regular
fs.protected_regular = 1

Note that the related sysctls can also be set 2 (or 0).

Related

How to delete a keyboard layout without deleting that language on Windows 11? [duplicate]
Number of permutations for a cycle-type
When is $M \otimes_A -$ representable?
Proving the Product Rule for exponents with the same base
Kronecker product and the commutation matrix
How is Leibniz's rule for the derivative of a product related to the binomial formula? [duplicate]
How to prove $C_1 \|x\|_\infty \leq \|x\| \leq C_2 \|x\|_\infty$?
A normal matrix with real eigenvalues is Hermitian
Is there a bijection between $\mathbb N$ and $\mathbb N^2$? [duplicate]
Is my shorter expression for $ s_m(n)= 1^m+2^m+3^m+\cdots+(n-1)^m \pmod n$ true?
Prove that $\Gamma(p)\times \Gamma(1-p)=\frac{\pi}{\sin (p\pi)},\: \forall p \in (0,\: 1)$
Prove the trigonometric identity $(35)$