This simple script
sudo rm -rf /tmp/a
echo a > /tmp/a
chmod a+w /tmp/a
echo b >> /tmp/a
sudo bash -c 'whoami; echo c >> /tmp/a'
outputs
root
bash: /tmp/a: Permission denied
Why does root not have permissions to write to /tmp/a?
Here's a reproducible way to demonstrate this via Docker:
# alpine 3.8
alpine=$(docker run -d alpine:3.8 sleep 99999999999999)
d() { docker exec $alpine "$@"; }
d apk add sudo bash
d adduser -D u
d sudo -u u bash -c 'echo a > /tmp/a; chmod a+w /tmp/a'
d bash -c 'whoami; echo b >> /tmp/a'
docker rm -f $alpine
# ubuntu 18.04
ubuntu=$(docker run -d ubuntu:18.04 sleep 99999999999999)
d() { docker exec $ubuntu "$@"; }
d useradd u
d apt-get update
d apt-get install -y sudo
d sudo -u u bash -c 'echo a > /tmp/a; chmod a+w /tmp/a'
d bash -c 'whoami; echo b >> /tmp/a'
docker rm -f $ubuntu
sudo sysctl fs.protected_symlinks? – Paulo Tomé Feb 15 '20 at 13:481. The error indeed disappears when using a path that is not/tmp/-prefixed. But why is this relevant when there are no symlinks involved? – ens Feb 15 '20 at 13:56