Hello,
On Tue, Aug 15, 2023 at 11:42:55AM +0800, Xuancong Wang wrote:
> Dear all,
>
> I found in all versions of Linux (at least for kernel version 4/5/6), the
> following bug exists:
> When a user is granted full access to a file of which he is not the owner,
> he can read/write/delete the file, but cannot "change only its last
> modification date". In particular, `touch -m` fails and Python's
> `os.utime()` also fails with "Operation not permitted", but `touch` without
> -m works.
>
> This applies to both FACL extended permission as well as basic Linux file
> permission.
>
> Thank you for fixing this in the future!
Your description is unclear to me, particularly what you call "is
granted full access": do you mean chmod here ? If so, you can't
delete it, so maybe you mean something else ? You should share a
full reproducer showing the problem. Also, the fact that one
command (touch) works and another one (python) does not indicates
they don't do the same thing. So I suspect it's more related to
the way the file is accessed where both commands use different
semantics. As such, using strace on both commands showing the
sequence accessing that file will reveal the difference and very
likely explain why one can and the other cannot change the last
modification date.
Willy
PS: there's no need to keep security@ here, it's used to dispatch
issues to maintainers and coordinate fixes, now that your report
is public it will not bring anything anymore.
