Read only permissions still allows to save

Question

I have a weird permissions situation that I can not explain. Let me explain my users and group and then show you the folder permissions.

drwxrwsr-x.  2 jenkinsuser applog        4096 Jul 15 09:56 .
drwxrwxr-x. 13 jenkinsuser jenkinsuser   4096 Jul 15 09:40 ..
-rw-r--r--.  1 apache      applog      750409 Jul 15 09:56 application.log

I have 2 users apache and jenkinsuser. Both are apart of the group named applog. I have a log folder with with the permissions shown above. The folder has the SGID set so any new files will have the group set to applog. As you can see the application.log file has rw-r--r-- set for the file, which I understand as the apache user is the only user who can write to the file.

As jenkinsuser I am able to open the file with vi/vim based on the fact that applog has read only access. When I save it (ex. :w within vi) it says 'readonly' option is set (add ! to override). When I force save (ex. :w! within vi) it saves with the new permissions shown below.

drwxrwsr-x.  2 jenkinsuser applog        4096 Jul 15 11:24 .
drwxrwxr-x. 13 jenkinsuser jenkinsuser   4096 Jul 15 09:40 ..
-rw-r--r--.  1 jenkinsuser applog      750448 Jul 15 11:24 application.log

So my question is, Why can jenkinsuser force save the file if it does NOT have write access to it? What am I missing?

Andrew Schulman · Accepted Answer · 2014-07-15T17:56:57.877

3

vi has deleted the old file, and written a new one with the same name. You have permission to remove the old file, because you have write access to the directory that contains it. To remove the file, you change (write to) the directory inode by deleting the reference to the existing file. When the file's reference count goes to zero, the file system then frees up the file's inode and space. Next you write to the directory inode again by adding the new file to it.

To keep that from happening, you'll need to remove write permission on the directory.

Note that you may also have some ACLs on the file and directory, that are overriding the permissions you're seeing in ls -l. See the . to the right of the permissions in each line of the listing? That shows that some ACLs are active. To see them, run getfacl /dir/name.

edited Jul 15 '14 at 17:56

answered Jul 15 '14 at 17:08

Andrew Schulman

8,811
21
32
47

ok so in affect the :w! is deleting and creating and not modifying? – DFieldFL Jul 15 '14 at 17:28
That's correct. – Andrew Schulman Jul 15 '14 at 17:56
Thanks. That is what I needed to know. Marked correct...will upvote you when I get more rep. – DFieldFL Jul 15 '14 at 17:59

Read only permissions still allows to save

1 Answers1