user write debug data to root owned file

Question

I'm running GNU bash, version 5.1.16(1)-release (x86_64-pc-linux-gnu) on a Linux Mint 21.2 Victoria system.

I'll be grateful if anyone can explain this for me as I haven't been able to find any documentation which does. Everything is working as I would like it to but I don't know what mechanism allows 'user' to write to 'root' files without permission.

I'll be happy to provide further documentation if needed.

Synopsis:

• anacron invokes 'foo' as 'root' and redirects 2>&1 to create/overwrite a debug file

• 'root' invocation of 'foo' calls 'runuser' to invoke 'foo' as 'user' redirecting 2>&1 to create/overwrite or append a debug file

• it doesn't matter whether the 'runuser' redirection is to the same file or a different file

• it doesn't matter whether the 'runuser' redirection creates/overwrites or appends to the file

• the output file from the anacron/runuser redirection is owned by 'root' - permissions '0644')

• 'root' invocation of 'foo' exits, having written to the debug file which it owns

• 'user' invocation of 'foo' runs, appends/overwrites the debug file which 'root' owns

• 'user' invocation of 'foo' exits, having written to the debug file which 'root' owns

• Invoking 'foo' as 'user' and redirecting to the 'root' owned debug file in a Terminal session gets "Permission denied"

Answer 1

Few things:

• Ownership and mode matter when a process tries to open a file.
• A redirection like in foo >logfile is performed (i.e. logfile is opened) by a shell before foo starts. The shell forks, the forked copy opens the file and replaces itself with foo.
• It's common for a child process to inherit copies of the parent's set of open file descriptors; this includes stdin, stdout, stderr.
• runuser, su or sudo can run something as another user. Such or similar tool may deliberately close some file descriptors, but in general at least stdin, stdout and stderr are inherited.
• A process can duplicate a descriptor without re-opening the corresponding file. A redirection like in foo 2>&1 is like that, it's performed by the shell before foo starts, but this time the file (i.e. whatever the stdout is) has already been opened.

In your "anacron case" whatever process opened the file, it was a process acting as root. The final, non-elevated instance of foo was able to use the file because it inherited a copy of the relevant file descriptor.

In case of invoking foo as a regular user from a non-elevated shell, there is no elevated process that could open the file and possibly let its non-elevated children inherit copies of the descriptor.