|
Home > Archive > Unix administration > October 2006 > Negative permissions WITHOUT ACLs
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Negative permissions WITHOUT ACLs
|
|
| Starfish 2006-10-11, 1:23 pm |
| Hello, if someone can answer this question you make a lot of Uppsala
University students happy.
Here goes: How do you specify negative permission=B9 in Unix/Linux
without using ACLs?
=B9E.g. saying that the user "Ellen" should not have write access to a
file regardless of the permissions given to her groups.
| |
| Stefaan A Eeckels 2006-10-11, 1:23 pm |
| On 11 Oct 2006 06:10:36 -0700
"Starfish" <frel8817@student.uu.se> wrote:
> Hello, if someone can answer this question you make a lot of Uppsala
> university students happy.
>=20
> Here goes: How do you specify negative permission=B9 in Unix/Linux
> without using ACLs?
>=20
> =B9E.g. saying that the user "Ellen" should not have write access to a
> file regardless of the permissions given to her groups.
Easy, because user privileges prime group privileges:
[199] echo "Hello" >foo
[200] ls -l foo
-rw-r--r-- 1 ellen staff 6 Oct 11 18:40 foo
[201] chmod u-r foo
[202] cat foo
cat: cannot open foo
[203] chmod u-w foo
[204] echo " there" >>foo
foo: Permission denied.
[205] ls -l foo
----r--r-- 1 ellen staff 6 Oct 11 18:40 foo
Of course, ellen can recover read and write privileges through chmod as
she took them away to begin with.=20
To avoid that, remove the world execute privilege from chmod, and have
root remove the write privilege from the file.=20
[206] ls -l /bin/chmod
-r-xr-xr-x 1 root bin 18500 Apr 7 2002 /bin/chmod
Was that what you were looking for?
--=20
Stefaan A Eeckels
--=20
The only statistics you can trust are those you falsified yourself.
-- Winston Churchill
| |
| Mark Rafn 2006-10-11, 1:23 pm |
| Starfish <frel8817@student.uu.se> wrote:
>Here goes: How do you specify negative permission¹ in Unix/Linux
>without using ACLs?
In a standard unix, without ACLs, you have ONLY user, group, and other
permission. You can get quite clever in mixing them, and in playing with
directory vs file permissions, though.
>¹E.g. saying that the user "Ellen" should not have write access to a
>file regardless of the permissions given to her groups.
Make her the owner, and take away owner write priveleges on the file and make
sure she can't write the directory (or she could delete and re-create the
file). This answers your question, but probably isn't what you want, as your
next question is "how do I make a file writable by members of group foo except
ellen and bob?". You can't.
Use ACLs, or set up your groups more carefully, or don't use file permissions
to handle this need - put a service layer on top of it that's more flexible.
--
Mark Rafn dagon@dagon.net <http://www.dagon.net/>
| |
| Stefaan A Eeckels 2006-10-11, 7:21 pm |
| On Wed, 11 Oct 2006 10:22:59 -0700
dagon@dagon.net (Mark Rafn) wrote:
> Make her the owner, and take away owner write priveleges on the file
> and make sure she can't write the directory (or she could delete and
> re-create the file).
Actually, that won't work because she can (as owner) reset the
privileges even though the directory is not writable. Remember that the
inode stores the file rights, not the directory entry (which happens to
be just a name and a pointer to the inode).
--
Stefaan A Eeckels
--
"Technically, Windows is an 'operating system,' which means that it
supplies your computer with the basic commands that it needs to
suddenly, with no warning whatsoever, stop operating." -Dave Barry
| |
| Mark Rafn 2006-10-11, 7:21 pm |
| >dagon@dagon.net (Mark Rafn) wrote:
Stefaan A Eeckels <hoendech@ecc.lu> wrote:[vbcol=seagreen]
>Actually, that won't work because she can (as owner) reset the
>privileges even though the directory is not writable. Remember that the
>inode stores the file rights, not the directory entry (which happens to
>be just a name and a pointer to the inode).
Yeah, dumb suggestion, sorry. Ignore that, and go back to the correct answer:
use an access control method that fits your needs. Unix file permissions
aren't it.
--
Mark Rafn dagon@dagon.net <http://www.dagon.net/>
| |
| Stephane CHAZELAS 2006-10-11, 7:21 pm |
| 2006-10-11, 15:19(-07), Mark Rafn:
>
> Stefaan A Eeckels <hoendech@ecc.lu> wrote:
>
> Yeah, dumb suggestion, sorry. Ignore that, and go back to the correct answer:
> use an access control method that fits your needs. Unix file permissions
> aren't it.
[...]
Or see the response I gave in comp.unix.questions where that
question was multiposted, that it
chown someone file # where someone has a different uid than ellen
chgrp ellen file # where ellen is a group ellen is in by herself
chmod o+t . # so that ellen can't remove "file" and create a new one
chmod g-w file # so that ellen doesn't have write access to the file
--
Stéphane
| |
| Logan Shaw 2006-10-12, 1:36 am |
| Stefaan A Eeckels wrote:
> On 11 Oct 2006 06:10:36 -0700
> "Starfish" <frel8817@student.uu.se> wrote:
>
>
> Easy, because user privileges prime group privileges:
>
> [199] echo "Hello" >foo
> [200] ls -l foo
> -rw-r--r-- 1 ellen staff 6 Oct 11 18:40 foo
> [201] chmod u-r foo
> [202] cat foo
> cat: cannot open foo
> [203] chmod u-w foo
> [204] echo " there" >>foo
> foo: Permission denied.
> [205] ls -l foo
> ----r--r-- 1 ellen staff 6 Oct 11 18:40 foo
>
> Of course, ellen can recover read and write privileges through chmod as
> she took them away to begin with.
>
> To avoid that, remove the world execute privilege from chmod, and have
> root remove the write privilege from the file.
What would stop ellen from compiling her own chmod from source?
Or simply calling, say, "perl -e 'chmod (0755, @ARGV)' /path/to/foo"?
- Logan
| |
| Barry Margolin 2006-10-12, 1:36 am |
| In article <1160572236.667899.124500@k70g2000cwa.googlegroups.com>,
"Starfish" <frel8817@student.uu.se> wrote:
> Hello, if someone can answer this question you make a lot of Uppsala
> university students happy.
How many times are you going to post the same question? Please learn to
cross-post properly.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
| |
| Stefaan A Eeckels 2006-10-12, 7:34 am |
| On Thu, 12 Oct 2006 01:04:18 GMT
Logan Shaw <lshaw-usenet@austin.rr.com> wrote:
> What would stop ellen from compiling her own chmod from source?
> Or simply calling, say, "perl -e 'chmod (0755, @ARGV)' /path/to/foo"?
Nothing - but if that's a concern (mind you, I'm not advocating this as
a serious approach to security) one can remove PERL and cc.
In the 80s I worked with an auditor who seriously considered "securing"
a Unix system through tricks like these. To his credit, there weren't
any ACLs in SysV.0.
--
Stefaan A Eeckels
--
"Object-oriented programming is an exceptionally bad idea which
could only have originated in California." --Edsger Dijkstra
| |
| Bill Vermillion 2006-10-15, 1:27 pm |
| In article <q77004-0ve.ln1@hydra.dagon.net>, Mark Rafn <dagon@dagon.net> wrote:
>
>Stefaan A Eeckels <hoendech@ecc.lu> wrote:
>
>Yeah, dumb suggestion, sorry. Ignore that, and go back to the correct answer:
>use an access control method that fits your needs. Unix file permissions
>aren't it.
You could change the ownership of the directory. I used to
routinely make the user top directory not-owned by them, and then
created sub-directories for them to run their local apps. This
way they could not change their .profile or any other dot-files as
they didn't own the directory above and did not have any write
privledges to that.
Bill
--
Bill Vermillion - bv @ wjv . com
|
|
|
|
|