


Witness the following:

sh-3.2$ cd testcase
sh-3.2$ sudo touch temp
sh-3.2$ ls -al
total 0
drwxr-xr-x   3 glen  staff  102 19 Dec 12:38 .
drwxr-xr-x  12 glen  staff  408 19 Dec 12:38 ..
-rw-r--r--   1 root  staff    0 19 Dec 12:38 temp

sh-3.2$ echo nope > temp
sh: temp: Permission denied

sh-3.2$ vim temp
# inside vim
# press [ESC]
# vim exits

sh-3.2$ ls -al
total 8
drwxr-xr-x   3 glen  staff  102 19 Dec 12:38 .
drwxr-xr-x  12 glen  staff  408 19 Dec 12:38 ..
-rw-r--r--   1 glen  staff    7 19 Dec 12:38 temp

Somehow vim has taken this root-owned file, and changed it into a user owned file!
This only seems to work if the user owns the directory - but it still feels like it shouldn't be possible. Can anyone explain how this is done?


You, glen, are the owner of the directory (see the . file in your listing). A directory is just a list of files and you have the permission to alter this list (e.g. add files, remove files, change ownerships to make it yours again, etc.). You may not be able to alter the contents of the file directly, but you can read and unlink (remove) the file as a whole and add new files subsequently[1].Only witnessing the before and after, this may look like the file has been altered.
Vim uses swap files and moves files around under water, so that explains why it seems to write to the same file as you do in your shell, but it's not the same thing[2].
Vim使用交换文件(swap file)和移动文件操作(move file)来实现读写操作,就解释了为什么你好似做了更改文件的操作一样,但实际上,你用vim所做的和改写原文件并不是同种操作[2]。

So, what Vim does, comes down to this:

cat temp > .temp.swp          # 把文件内容复制到一个阿Glen所属的文件中
echo nope >> .temp.swp        # 变更新文件的内容
rm temp && mv .temp.swp temp  #把文件再写回原来的文件处

[1] This is an important difference in file permission handling between Windows and Unices. In Windows, one is usually not able to remove files you don't have write permission for.

[2] update: as noted in the comments, Vim does not actually do it this way for changing the ownership, as the inode number on the temp file does not change (comparing ls -li before and after). Using strace we can see exactly what vim does. The interesting part is here:
更新:像评论中说的那样,vim实际上并不是这样改变所有权的,因为"temp"文件中的inode号并没有变(用ls -li 比较之前和之后).用strace能准确看出vim干了什么.有趣的是这里:

open("temp", O_WRONLY|O_CREAT|O_TRUNC, 0664) = -1 EACCES  //打开文件失败,没有权限
unlink("temp")                               = 0
open("temp", O_WRONLY|O_CREAT|O_TRUNC, 0664) = 4
write(4, "more text bla\n", 14)              = 14
close(4)                                     = 0
chmod("temp", 0664)                          = 0

This shows that it only unlinks, but does not close the file descriptor to temp. It rather just overwrites its whole contents (more text bla\n in my case). I guess this explains why the inode number does not change.
