setgid binary doesn't have permission, mount's right, I'm missing something, but what, please?

Question

I've checked the manpages, the mount, the permissions ...

(edit: combined history into one sequence as requested. Starting to seem a not-simple problem. Nothing new since last edit, just bundled up all pretty)

~/sandbox/6$ editfunc doit
~/sandbox/6$ -x doit
+ doit
+ find
.
+ cp /bin/ln /bin/id .
+ sudo chown jthill:jthill id ln
+ chmod g+s id ln
+ mkdir protected
+ chmod 770 protected
+ touch data
+ set +xv
~/sandbox/6$ ls -A
data  id  ln  protected
~/sandbox/6$ ls -Al
total 92
-rw-r--r-- 1 jthill jthill     0 Nov  8 02:39 data
-rwxr-sr-x 1 jthill jthill 31432 Nov  8 02:39 id
-rwxr-sr-x 1 jthill jthill 56112 Nov  8 02:39 ln
drwxrwx--- 2 jthill jthill  4096 Nov  8 02:39 protected
~/sandbox/6$ sudo su nobody
[nobody@home 6]$ ./id
uid=619(nobody) gid=617(nobody) egid=1000(jthill) groups=617(nobody)
[nobody@home 6]$ ./ln ln protected
./ln: failed to create hard link ‘protected/ln’ => ‘ln’: Operation not permitted
[nobody@home 6]$ ./ln data protected
./ln: failed to create hard link ‘protected/data’ => ‘data’: Operation not permitted
[nobody@home 6]$ ln ln protected
ln: failed to create hard link ‘protected/ln’ => ‘ln’: Permission denied
[nobody@home 6]$ ln data protected
ln: failed to create hard link ‘protected/data’ => ‘data’: Permission denied
[nobody@home 6]$ exit
~/sandbox/6$

Have you tried "./ln ln protected' to make sure you use the local copy? — Anthon, Nov 08 '13 at 05:07
@Anthon just now did, same result. I like to think I just forgot here when I redid it for a clean c&p :-). — jthill, Nov 08 '13 at 05:10
There is no group write permission on the copy of 'ln', have you tried that? — Anthon, Nov 08 '13 at 05:28
I am a bit mistified here, I tried both chmod 2775 (no effect) and 4775 (works). Next would be looking at the source code. — Anthon, Nov 08 '13 at 05:44
You should probably redo your tests and copy paste the actual input and output. Your error messages don't seem to match the commands you entered. — Stéphane Chazelas, Nov 08 '13 at 10:22
Doesn't mean sgid it would run under egid of group permission? But you are in nobody's userdir, so you probably cannot write there as jthill group. — jirib, Nov 08 '13 at 10:24
And what are permissions on all components of the path? /home/jthill ... ? You can use strace to see where it fails. — jirib, Nov 08 '13 at 10:54

score 2 · Accepted Answer · edited Apr 13 '17 at 12:36

2

Found it:

If sysctl fs/protected_hardlinks is set,
hard links by someone not the owner (and without CAP_FOWNER), must be:
- not special
- not setuid
- not executable setgid
- both readable and writable

according to fs/namei.c. Some guy on SO wanted to have a dropbox folder people could add to but not see into (I think that's a Windows feature), I figured this was one of the few places a setgid would be good and the smoketest drove me here.

Thanks to all and especially Anthon who suggested checking the source.

(edit: sysctl spelling)

edited Apr 13 '17 at 12:36

Community

1

answered Nov 08 '13 at 11:47

jthill

2,671
12
15

How could you hardlinking a file and a directory? – jirib Nov 08 '13 at 12:21

setgid binary doesn't have permission, mount's right, I'm missing something, but what, please?

1 Answers1