have you logged in as root or su'd/sudo'd to it ?
please, show id prior to ksh, do same for permissions (ls -al foo etc) before and after the chown command, owner+permissions of the directory
the 'Bash works' ? - show that as well ( and states prior and post commands - as per ksh ) and the bash version
Good point, a beta version.
I have seen an earlier AT&T ksh update on SUSE Linux where they managed to break it.
SUSE's fix was a roll back; later they moved to mksh that has not much in common with ksh (but the name).
Also there was a ksh-2000 project - a total fail.
The latest stable version is ksh93u+
Maybe this time they broke the euid == ruid check?
Display all the current UIDs:
ps -o pid,euid,ruid,suid,egid,rgid,sgid,cmd -p $$
The behavior changes if you invoke ksh with -p option.
could be related to the sticky bit on /tmp (+/ group membership(s))
in /tmp - the sticky bit (normally !) prevents the change - as only owner/group have write permission and 'nobody' is not a member of root.
however under root/tmp .... root still has permission to change the file as they own
ls -al .. | grep -E '(root|tmp)$'
drwx------ 21 root root 4096 Feb 13 09:08 root
drwxrwxrwt 33 root root 4096 Feb 13 09:09 tmp
root@Z800:~# pwd
/root
root@Z800:~# touch t; touch /tmp/t; ls -al t ; ls -al /tmp/t
-rw-r--r-- 1 root root 0 Feb 13 09:09 t
-rw-r--r-- 1 root root 0 Feb 13 09:09 /tmp/t
root@Z800:~# chown nobody t; chown nobody /tmp/t; ls -al t ; ls -al /tmp/t
-rw-r--r-- 1 nobody root 0 Feb 13 09:09 t
-rw-r--r-- 1 nobody root 0 Feb 13 09:09 /tmp/t
root@Z800:~# date >> t; ls -al t; date>> /tmp/t; ls -al /tmp/t
-rw-r--r-- 1 nobody root 29 Feb 13 09:11 t
-bash: /tmp/t: Permission denied
-rw-r--r-- 1 nobody root 0 Feb 13 09:09 /tmp/t
whereas doing same on macos darwin, - it works without barfing
This protection is similar to protected_fifos, but it avoids writes to an attacker-controlled regular file, where a program expected to create one.
When set to "0", writing to regular files is unrestricted.
When set to "1" don't allow O_CREAT open on regular files that we don't own in world writable sticky directories, unless they are owned by the owner of the directory.
When set to "2" it also applies to group writable sticky directories.
The traditional behavior is that a +t bit ("sticky bit") on a directory prevents from deletion i.e. unlink() of another owner's file, even if the other directory permissions are rwxrwxrwx, like /tmp
But root (uid 0) is not restricted, can delete everything in /tmp
Now this /proc/sys/fs/protected_regular = 1
feature extends it to open() and even restricts root!
says:
That even root can't edit files anymore seems to be a side-effect.
I call this a severe violation of Unix compatibility if not a bug!
I would set it to 0 (off) via the sysctl facilty. Then it's on only during the early boot phase.