Re: negative group permissions?
On Wed, Feb 29, 2012 at 04:18:45PM +0000, jb wrote:
> Ian Lepore <freebsd <at> damnhippie.dyndns.org> writes:
>
> > ...
> > It's not a
> > directory or executable file in the first place, so making it executable
> > for everyone except the owner and group is not some sort of subtle
> > security trick, it's just meaningless.
> > ...
>
> Is it meaningless ?
>
> Example:
> # cat /var/spool/output/lpd/.seq
> #! /usr/local/bin/bash
> touch /tmp/jb-test-`echo $$`
>
> # ls -al /var/spool/output/lpd/.seq
> -rw-r----x 1 root daemon 54 Feb 29 17:05 /var/spool/output/lpd/.seq
> # /var/spool/output/lpd/.seq
> #
> # ls /tmp/jb*
> /tmp/jb-test-61789
>
> # chmod 0640 /var/spool/output/lpd/.seq
> # ls -al /var/spool/output/lpd/.seq
> -rw-r----- 1 root daemon 52 Feb 29 17:11 /var/spool/output/lpd/.seq
> # /var/spool/output/lpd/.seq
> su: /var/spool/output/lpd/.seq: Permission denied
> #
>
Giving execute bit to others by security means to allow others to search
for that file and find it. If its not there then the process created by
current user will not be able to read the file since they are not part
of the daemon group. I would assume that sometimes the contents of .seq
was judged to be insecure for whatever reason but judged that a user
should be able to still in a sense read the file without reading its
contents. Negative perms are not harmful.
I do suppose a 'daily_status_security_neggrpperm_dirs=' variable should
be added here to control which directories are being scanned much like
chknoid.
--
;s =;
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 17 之 20 篇):