Bug 154112

Summary: user can delete file witch owned by root:wheel
Product: Base System Reporter: Ihor R <kaba>
Component: amd64Assignee: freebsd-amd64 (Nobody) <amd64>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Ihor R 2011-01-18 14:50:03 UTC 
The broblem is: 
user can delete files in own home directory owned by root:wheel.

How-To-Repeat: as root, change current directory to user home :
#cd ~username/
#touch 1.txt
#chown root:wheel 1.txt

login to system as user:
%id
uid=1001(username) gid=1001(username) groups=1001(username)
%ls -la | grep 1.txt
-rw-r--r--    1 root      wheel             0 Jan 18 16:38 1.txt
%rm -f 1.txt
%ls -la | grep 1.txt
%
Comment 1 Konstantin Belousov freebsd_committer freebsd_triage 2011-01-18 16:21:32 UTC 
State Changed
From-To: open->closed

User home directory is owned by user, right ? 
The system works as intended, read about unix file permission model.
Comment 2 Ihor R 2011-01-18 19:27:23 UTC 
 On Tue, 18 Jan 2011 16:22:53 GMT, kib@FreeBSD.org wrote:
> User home directory is owned by user, right ?
> The system works as intended, read about unix file permission model.

 The home user directory is owned by user, but I quote don't understand 
 how I can provide hosting service for my users, if anybody user can 
 delete any files in his home directory. By example:

 if I want to block some resources, like site, by adding "deny from all" 
 to .htaccess and replace owner of this file to root:wheel. User can not 
 change this file (rewrite) but he can delete this file any time he wish 
 - and the site will go on to work and can make some steps to damage 
 server.

 Can you please explain me how can I get back to Unix where users can't 
 delete file which they not own. What steps I need to do to solve current 
 problem.
 I need that users can't change or delete files, that users not own, 
 anyway it's (files) placed.