[GLLUG] root access

[Dpk]

On Fri, Apr 12, 2002 at 02:57:59PM -0400, Charles Williams wrote:

   This had been a situation earlier and your thread reminded me of it. 
   I went to try out some things you folks are questioning.
   
   I tried this out as myself (willcha) and NOT as root.
   
   1.) A directory I have ownership in (by way of my group). A file I don't
   have permission for.
   I can ftp the file to my hard drive.
   I can delete this file from the Solaris Unix web server while I'm in ws_ftp.
   I can then replace the file on the Solaris Unix server and it now has my
   ownership.
   
   2.) A directory I don't have ownership in. A file I don't have ownership
   privileges for.
   I can't copy the file to my hard drive.
   Can't delete with ws_ftp.
   
   Dennis (below) says it's "definitely the default" and if that's so
   then I can cautiously say that such installations here are done by
   the defaults.

My bad... I'm on a dialup link today.  It should be "definately NOT
the default".  Default ftp, user setup, and permissions on Solaris
should not allow you to overwrite others files, including via FTP.
Sorry for the confusion.

If your directories are group writable, then yes, they can delete any
file in that directory. To avoid this, look at using the "Sticky bit"
(man -s2 chmod or Google-it) on the directories.  This is what is used
on /tmp to avoid users whiping out each others files.

Dennis