How to let user A delete B's file on behalf of B?

Question

A and B are both non-root users in a same group. Suppose there will be some B owned garbage files generated inside a directory(also generated and owned by B) after a regression run by B, but I need A to do the clean up job in case B's regression is terminated and can not do the clean up properly.

I know the easiest way is to let B set umask 0002 before the regression, but unfortunately, somehow the regression tool will override this setting, and generate garbage files writable only by B.

So I try to use suid feature to do the trick.

the demo directory is as bellow

/proj/ttt> ll
total 0
-rw-r--r-- 1 B users  0 Mar 16 00:50 garbage.file

I try to create a script(cleanup) owned by B to clean up garbage files.

#!/bin/bash
# cleanup
echo EUID=$EUID UID=$UID
rm -f garbage.file

then I add suid to this script with "chmod ug+s cleanup". The directories becomes

/proj/ttt> ll
total 0
-rwsr-sr-x 1 B users 57 Mar 16 00:50 cleanup
-rw-r--r-- 1 B users  0 Mar 16 00:50 garbage.file

I also add the "s" bit for the parent directories

drwsr-sr-x 2 B users 4096 Mar 16 00:57 ttt

But when I execute this script as A, It seems the 's' bit not work and A can not delete the garbage file.

/proj/ttt> ./cleanup   # executed by A
EUID=25264 UID=25264   # user B's uid is 25220, user A's uid is 25264
rm: cannot remove `garbage.file': Permission denied

I don't know what's wrong with my try, or if this approach is feasible in the end?

Or is there any other better way to do the job?

Ability to delete files is controlled by permissions on the parent directory. Are you able to change the ownership of that directory? — Michael Homer, Mar 16 '17 at 09:13
Why setuid scripts don't work: http://unix.stackexchange.com/q/364/170373 — ilkkachu, Mar 16 '17 at 09:31
ACL might let you work around this: use setfacl to add group write permission to the directory instead of chgrp. — Gilles 'SO- stop being evil', Mar 16 '17 at 23:42

score 1 · Answer 1 · answered Mar 16 '17 at 09:30

The standard way to do that is to create a new group, make both A and B members of this group, and make sure all the files (or at least the directories if just want to delete) in question belong to this group and have appropriate group permissions.

Think of groups as "rules" in your permission set: Every special rule usually requires creation of a group.

One way to enforce correct group ownership is to set the setgid (group) bit on a suitable directory that belongs to this group, then all files created in this directoy will automatically belong to this group, too. You tried doing that, but I'm not sure that was your intention. Note that you can't set the setuid (user) bit on a directory.

It's generally discouraged to use setuid-executables, unless really necessary. If you want to go down that path, some sudoer entries would probably be better.

How to let user A delete B's file on behalf of B?

1 Answers1