Ubuntu

rmdir syscall does not check dir permissions

Asked by Andrii Shestakov

Hello

In case when user has no permissions to read directory it is still possible to get know is that directory empty or not.

Steps to reproduce:
mkdir -p 1 2/3
chmod -rwx 1 2
ls -l 1
ls: cannot open directory '1': Permission denied
ls -l 2
ls: cannot open directory '2': Permission denied
rmdir 1
rmdir 2
rmdir: failed to remove '2': Directory not empty

It is not possible to get directory content nor delete it if not empty. But possible to get weather it is empty or not.
Could it be security bug which should be fixed or it is completely expected behavior?

Thanks

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

I assume that this is expected behavior.

Even if you do not have access rights to a directory (or file), if you have write access to the parent directory, you can delete the inaccessible file (unless the sticky bit is set on the parent directory).

Independent of that you cannot delete a directory file, if there are files in the directory (unless you use the rm command with the -f option).

And yes, the combination of these two allows finding out whether directory 2 is empty or not. I do not see a possibility to find out what's there inside directory 2, so I do not see any real risk related to that. With the rights that you have on the parent directory, you can rename the sub-directories or change the access rights settings on them, anyhow.

Can you help with this problem?

Provide an answer of your own, or ask Andrii Shestakov for more information if necessary.

To post a message you must log in.