Hello,
On Tue, Aug 15, 2023 at 11:42:55AM +0800, Xuancong Wang wrote:
Dear all,
I found in all versions of Linux (at least for kernel version 4/5/6), the following bug exists: When a user is granted full access to a file of which he is not the owner, he can read/write/delete the file, but cannot "change only its last modification date". In particular, `touch -m` fails and Python's `os.utime()` also fails with "Operation not permitted", but `touch` without -m works.
This applies to both FACL extended permission as well as basic Linux file permission.
Thank you for fixing this in the future!
Your description is unclear to me, particularly what you call "is granted full access": do you mean chmod here ? If so, you can't delete it, so maybe you mean something else ? You should share a full reproducer showing the problem. Also, the fact that one command (touch) works and another one (python) does not indicates they don't do the same thing. So I suspect it's more related to the way the file is accessed where both commands use different semantics. As such, using strace on both commands showing the sequence accessing that file will reveal the difference and very likely explain why one can and the other cannot change the last modification date.
Willy
PS: there's no need to keep security@ here, it's used to dispatch issues to maintainers and coordinate fixes, now that your report is public it will not bring anything anymore.