We are aware of the issue with the badge emails resending to everyone, we apologise for the inconvenience - learn more here.

Forum Discussion

asnell's avatar
asnell
Explorer | Level 4
2 years ago

Linux users can delete folders (including content) that are not shared with them

Dropbox Business Standard with multiple users. Folders that are not shared with a user still show as an empty folder for that user. They can access the folder but not the files - it looks like an emp...
Delete
Desktop
dropbox business
Linux
Walter's avatar
Walter
Icon for Dropbox Staff rankDropbox Staff

Hey asnell, thanks for bringing this to our attention.

 

Can you please clarify if those are team folders, shared folders or personal folders perhaps? 

 

Are all members of the team noticing this or a specific one or a team admin? 

 

If you could also share some screenshots so that we can have a visual too, I'd appreciate it. 

 

Thanks!

asnell's avatar
asnell
Explorer | Level 4
2 years ago

Hi Walter,

This happens with shared folders, created as shown in first image.

 

The following images show two Linux computers. The one on the left is the user with shared access, the one on the right does not have shared access. These show command line but the same happens when deleting the folder using a file manager. The folder, which appears empty, can be deleted by the user without shared access.

 

The shared folder "notforall" has a file "testfile" in it.

 

 

This happens with multiple Linux machines I have here running Ubuntu 22.04 and Linux Mint 21. It happens the same with different users. It does not happen with Windows computers running the same users, they get access denied.

 

Thank you.

 

Andrew

  • Walter's avatar
    Walter
    Icon for Dropbox Staff rankDropbox Staff
    2 years ago

    Thanks for the additional information and the screenshots too asnell - much appreciated.

     

    It sounds like you may have set your top level folders to be editable by all team members - could it be that what's causing this? 

     

    If you choose Everyone, you can either use the Content page, the All files page, or the desktop app to manage the top level of the team space as outlined here

     

    • asnell's avatar
      asnell
      Explorer | Level 4
      2 years ago

      Thank you, I'll have a read through that shortly as it may help.

       

      I have investigated more and in all Linux distros I have checked, an empty directory can be deleted even if the user doesn't have write access. So DropBox is showing the folder but, because the user doesn't have access to the content it is empty. The write attribute is cleared so in theory a user can't do anything with it, and that works in Windows. In Linux a user can delete such an empty directory, even without write access. This deletion then gets synchronised by the Dropbox desktop client and removed from other users who do (or did) have shared access.

       

      I have been on to Dropbox support about it and they have passed it on to somebody else. I can work round the problem now I know about it and what is causing it.

       

      Thanks again for your attention.

      • Здравко's avatar
        Здравко
        Legendary | Level 20
        2 years ago
        asnell wrote:

        ... The write attribute is cleared so in theory a user can't do anything with it, and that works in Windows. ...

        Hi asnell,

        Not exactly! User cannot change content only. This is the same both for files and for folders. It's another story how much Windows matches to any standards.

         

        asnell wrote:

        ... In Linux a user can delete such an empty directory, even without write access. ...

        Yes, and that's correct behavior. Permission to change/delete a folder (not its content) are described by access that's set to the containing folder. The target folder is a content of its parent folder.

         

        asnell wrote:

        ... This deletion then gets synchronised by the Dropbox desktop client and removed from other users who do (or did) have shared access.

        ...

        And this is a real security issue!!! That means user can make some changes even when appropriate permission is missing! Bad thing...

    • Здравко's avatar
      Здравко
      Legendary | Level 20
      2 years ago
      Walter wrote:

      ...

      It sounds like you may have set your top level folders to be editable by all team members - could it be that what's causing this? 

      ...

      It's just not true, Walter. As can be seen both from folder setup (web view) and from console output, the folder is correctly setup as writable for first user and read-only for second one. 🙂 Classical application BUG and not only. Not only because with inappropriate credentials, this should NOT be possible on the Dropbox server despite possible locally, but it happens (as can be seen). Just as a hint to your application development staff - setting read only to particular folder doesn't restrict this folder to be deleted, it only restricts changes to the folder content (there is nothing right now, because restriction set to the user 😁) - for reference: POSIX.

About Delete, edit, and organize

Solve issues with deleting, editing, and organizing files and folders in your Dropbox account with support from the Dropbox Community.

Need more support

If you need more help you can view your support options (expected response time for an email or ticket is 24 hours), or contact us on X or Facebook.

For more info on available support options for your Dropbox plan, see this article.

If you found the answer to your question in this Community thread, please 'like' the post to say thanks and to let us know it was useful!