Bug 248366
Summary: | chgrp permission denied for file owner | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christopher Beland <beland> |
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 6 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-07-16 22:09:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christopher Beland
2007-07-16 14:18:12 UTC
This is a kernel permission check. Changing component and reassigning. apache cannot change a file's group unless apache is a member of the new group. Any particular reason for that? As the file owner, apache can get read/write/execute access at any time, so it seems that the only thing that restriction does is prevent sharing access with groups of which it is not a member. I'm not sure why that would be desirable. Because... 1) user creates script 2) user makes script setgid 3) user changes the group on script to one w/elevated privs that they aren't a member of 4) user runs setgid script with elevated privs they shouldn't have BAD. I'd suggest perhaps making your user foo a member of the apache group if it needs r/w access to that file. Ah, that makes sense. Thanks for the explanation. |