While working on a RHEL 9 system, I wanted to edit a config file located in /tmp/. After sudoing to the root user, I opened the file with vim and was then pretty surprised to see I was unable to save my changes. Instead of writing and exiting the file, the terminal showed an error message:
E212: Can't open file for writing
The first thought was that the file system was mounted read-only - then obviously no write operations can be done. But the /tmp file system was correctly mounted with the rw flag.
Was it a basic file permission problem? But file permissions also looked fine, especially for the root user, which can write anything:
[root@rhel9 tmp]# ls -la /tmp/test1
-rw-r-----. 1 user group1 18 Sep 6 07:51 /tmp/test1
No errors were logged in any log.
SELinux could also be a potential blocker and was verified.
[root@rhel9 ~]# getenforce
Enforcing
Although SELinux is obviously enabled (enforcing), it should still be possible for the root user to write a file, even if root is not the owner.
Could it be related to special file attributes, which could add additional flags and make a file immutable? But lsattr showed the default attributes.
[root@rhel9 ~]# lsattr /tmp/test1
--------------e----- /tmp/test1
To top that all, a write operation using a simple echo into the file works:
[root@rhel9 ~]# echo "but why?" /tmp/test1
[root@rhel9 ~]# tail -n 1 /tmp/test1
but why?
I'm scratching my head at this point.
Additional research to similar editing problems pointed me (via ArchLinux forums) towards the Kernel configuration options fs.protected_*. There are currently four such entries:
To my understanding, the fs.protected_regular description matches the permission problems when trying to edit the file with vim. Besides this, the file in question is located inside /tmp, which is a world writeable sticky directoy.
Let's check the current Kernel settings using sysctl:
[root@rhel9 ~]# sysctl -a | grep fs.protected
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 1
fs.protected_symlinks = 1
They are all enabled.
Let's try a vim modification after disabling fs.protected_regular:
[root@rhel9 ~]# sysctl -w fs.protected_regular=0
fs.protected_regular = 0
[root@rhel9 ~]# vi /tmp/test1
-> Editing the file and adding [adding some additional text] at the end of the file
:wq
No error showed up this time and the added text was indeed saved in /tmp/test1:
[root@rhel9 ~]# tail -n 1 /tmp/test1
adding some additional text
After enabling fs.protected_regular again (set to 1), the vim edit permission error showed up again.
These additional file protections were added in the Linux Kernel 4.19 in commit namei: allow restricted O_CREAT of FIFOs and regular files. The goal is obviously to tackle a security issue, where an attacker could spoof on "shared" files in world writeable directories (e.g. PHP sys_temp_dir). That even root can't edit files anymore seems to be a side-effect.
This can also be reproduced in other Linux distributions. On an Ubuntu 22.04 and Debian 11 with Kernel 5.15 and on Debian 12 with Kernel 6.1.0, the fs.protected Kernel settings are by default set to these values:
claudio@ubuntu:~$ sudo sysctl -a | grep fs.protected
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
It turns out this is not a RHEL9 related "problem" but a newer Kernel security standard which I happened to never come across - until now. :-)
Note that these additional security settings are only applied on world writeable (1) or group writeable (2) directories with the sticky bit set (chmod 1777). On most Linux systems this is by default /tmp and /var/tmp:
root@debian ~ # stat /tmp/
File: /tmp/
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fe00h/65024d Inode: 2 Links: 9
Access: (1777/drwxrwxrwt) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-09-05 19:51:26.708920185 +0200
Modify: 2023-09-06 11:49:08.931388484 +0200
Change: 2023-09-06 11:49:08.931388484 +0200
Birth: 2018-07-04 08:18:47.000000000 +0200
root@debian ~ # stat /var/tmp/
File: /var/tmp/
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fe02h/65026d Inode: 198 Links: 4
Access: (1777/drwxrwxrwt) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-09-06 02:15:10.973909196 +0200
Modify: 2023-09-06 00:00:02.193560882 +0200
Change: 2023-09-06 00:00:02.193560882 +0200
Birth: 2018-07-04 08:18:59.675347253 +0200
Outside such directories, the normal permission handling applies and root can open, edit and save any regular file.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder