Only since Debian 11: regular users can't write to world/group writable files under /tmp/ owned by other users, unless owner is root

Question

Users:

• root
• userA - the normal owner of the file
• userB - the user that wants to write to the file

The file:

• Let's say I have a basic text file: /tmp/file
• Ownership: chown userA:groupA /tmp/file
• Permissions are group + world writable: chmod 666 /tmp/file

The problem:

• userB can't write to it via the world/everyone permission
• userB also can't even write to it when they're in the groupA group
• I'm only seeing this on a new Debian 11 host.
  • There's no issue on my Debian 10 hosts.

What does work:

• If I chown root:root /tmp/file - no problem
  • ...this is the weirdest part to me. If this is some new security policy or something, then why is this allowed?
• If I move the file outside /tmp - no problem

What's going on here?

Has something changed between Debian 10 -> 11?

There's nothing non-default about my /tmp dir. It's not a separate partition or anything, it's just the default subdir setup that Debian comes with.

Answer 1

• So I typed my question up, and then realized that I should also try writing to the file as root... and was surprised that not even that was allowed either.

  • Perhaps that's why I didn't find much info in all my initial searches trying to figure this out. Most other users tried that first I guess, so their thread titles are a bit different to what I was looking for.
  • So hopefully me still posting + answering this can help someone in the future, if they happen to use search terms like I was.

• It seems that the cause is the new default setting on sysctl fs.protected_regular

• I'm still a bit surprised by the fact that userB can write to the file if root:root owns it. But I guess there needs to be some way to really allow world writable files.

  • Although it being owned by root feels like a kinda reverse way to do it. I'm keen to hear if anyone has any insights into why this is allowed.