LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 10-09-2003, 08:02 AM   #1
mikeshn
Member
 
Registered: Feb 2002
Distribution: Fedora Core 2
Posts: 586

Rep: Reputation: 30
Why chmod cannot change symbolic link permission?


I know that chmod cannot change symbolic link permission?
Why is it prohibited?
 
Old 10-09-2003, 08:45 AM   #2
whansard
Senior Member
 
Registered: Dec 2002
Location: Mosquitoville
Distribution: RH 6.2, Gen2, Knoppix, 98,2000 + various
Posts: 3,171

Rep: Reputation: 52
the link is just a shortcut to the file. it will have the
same permissions as the file it points to except for
operations the only reference the symlink.
you may own the file, and someone else may own the
symlink. they can delete the symlink, but not the original
file. if you make the file read-only to everyone else, they
shouldn't be able to make it writeable with a symlink.
 
Old 06-09-2009, 07:12 PM   #3
Maurizio1230
LQ Newbie
 
Registered: Nov 2008
Posts: 4

Rep: Reputation: 0
DO YOU KNOW A WAY FOR MAKING A LINK WITH A 755 PERMISSION?
The impossibility to change its permission creates a lot of problem on a web server. I explain you why:
  1. symbolic link has only 777 permission ;
  2. Many hosts are now installing PHPsuexec as an added security measure.
  3. This will affect all of us who use PHPclassifieds in that .htaccess files are not permitted [we used these to turn register_globals off] and CHMOD permissions cannot be set to 777.
  4. If I go on symboliclink, it will result in a 500 internal server error when attempting to view them.

This symbolic points to a cgi scripts with 755 permission.
I Permissions on a symbolic link don't really mean anything and if the only permissions that count are the permissions on the file that the link points to, IT SHOULD WORK .

Thank you very much

Last edited by Maurizio1230; 06-09-2009 at 07:21 PM.
 
Old 06-09-2009, 07:47 PM   #4
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,043

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
Permissions on symlinks would simply make no sense at all, only the permissions of the file that they point to is relevant, and that's what linux changes when you chmod a symbolic link.

This is not only true for linux, but also for each other unix (and unix clones) that I've tried.

Quote:
Originally Posted by Maurizio1230 View Post
DO YOU KNOW A WAY FOR MAKING A LINK WITH A 755 PERMISSION?
No.

Quote:
The impossibility to change its permission creates a lot of problem on a web server. I explain you why:
  1. symbolic link has only 777 permission ;
  2. Many hosts are now installing PHPsuexec as an added security measure.
  3. This will affect all of us who use PHPclassifieds in that .htaccess files are not permitted [we used these to turn register_globals off] and CHMOD permissions cannot be set to 777.
  4. If I go on symboliclink, it will result in a 500 internal server error when attempting to view them.

This symbolic points to a cgi scripts with 755 permission.
I Permissions on a symbolic link don't really mean anything and if the only permissions that count are the permissions on the file that the link points to, IT SHOULD WORK .

Thank you very much
The problem is not created by symlinks, they existed by more than two decades now and they are a good thing and work ok for everyone, except for phpsuexec, then you can deduct where the bug lies on...

All the smart programs deference symlinks when they need to, instead of blindingly operating over files of the wrong type. It's as easy as to check that the file is a regular file. If it's regular or a dir, then ok, if it's a symlink, deference it and operate as you must. If phpsuexec or whatever php code you use doesn't do it, then you are going to have to do it yourself by wrapping the code into the necessary checks.

There's no point and no logic behind modifying the permissions of a symlink from a conceptual point of view (even if that was possible, which it is not). If accessing to a file was as easy as creating a symlink to it and then changing the permissions of the symlink the linux would be the most insecure os around the world.

It would be like drawing a door in a wall with a pencil and pretending to open it when you don't have the key to the front door.

Last edited by i92guboj; 06-09-2009 at 08:07 PM.
 
Old 06-10-2009, 06:06 AM   #5
Maurizio1230
LQ Newbie
 
Registered: Nov 2008
Posts: 4

Rep: Reputation: 0
Quote:
SuExec works fine for symbolic links as long as the file that is called does not link to some other file. The traversal of links (e. g. links to another directory) does not pose a problem. Calling files that themselves are links to other files, is not possible.
There is no solution to use suexec with links representing files.
Poor mee!!! Now I have to edit all again
Oh, it's something formal: For me it's better to draw a door in a wall with a pencil hehe

Thank you very much.
 
Old 07-09-2010, 09:14 AM   #6
c0pe
LQ Newbie
 
Registered: Jul 2010
Posts: 22

Rep: Reputation: 0
I know this is an old thread but I want to comment anyway... There *are* scenarios in which changing permissions of a link itself, and not what it points to, would be desirable. I have one right now. I need a link that is created in each user's home directory that I don't want them to be able to remove or change in any way. So to me, if a sym link is a file, you should be able to change the filesystem permissions on it.

is a sym link a file? I assume it is, like a 'shortcut' in the Windows world. But if not, please correct me so I understand what it really is, then that may allow me to understand why you shouldn't be able to change it's filesystem permissions. Currently I'm thinking it's a file, it simply points to another filesystem location, but it is itself a separate entity from the location it points to.
 
Old 07-10-2010, 02:17 AM   #7
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,043

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
http://en.wikipedia.org/wiki/Symbolic_link
 
Old 08-27-2010, 02:26 AM   #8
martinkunev
LQ Newbie
 
Registered: Oct 2007
Location: Sofia, Bulgaria
Distribution: Debian, Gentoo
Posts: 6

Rep: Reputation: 1
Quote:
Originally Posted by i92guboj View Post
All the smart programs deference symlinks when they need to, instead of blindingly operating over files of the wrong type. It's as easy as to check that the file is a regular file. If it's regular or a dir, then ok, if it's a symlink, deference it and operate as you must.
Actually the operating system is the one who handles symbolic links. The way to access files is using system calls. The system calls automatically deference the symbolic link (with exception of several system calls designed to manipulate the symbolic links).

The idea of the permissions is to restrict system calls. The few system calls that work with symbolic links don't really need any permissions to work properly and securely so actually symbolic links have no permissions associated with them. That's a good thing because it leaves more free space in the inode to implement fast symlinks (for more information see http://en.wikipedia.org/wiki/Symbolic_link). The permissions that you actually see with "ls -l" are just some information that the kernel generates when the "lstat" system call is invoked on a symbolic link.

Last edited by martinkunev; 08-27-2010 at 02:33 AM. Reason: correction
 
Old 08-27-2010, 08:56 AM   #9
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,095
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by c0pe
I know this is an old thread but I want to comment anyway... There *are* scenarios in which changing permissions of a link itself, and not what it points to, would be desirable. I have one right now. I need a link that is created in each user's home directory that I don't want them to be able to remove or change in any way. So to me, if a sym link is a file, you should be able to change the filesystem permissions on it.
You can't do that with a regular file either, if the user has write permissions on a directory they can always remove a file even it is owned by root and 000 perms (the exception to this is if the directory is chmod + t (stickybit), then only the owner can remove the file and that would apply to symlinks as well). The best you can do is make a subdir that they don't have write perms on and put a file in there or add the sticky bit

Last edited by estabroo; 08-27-2010 at 08:57 AM. Reason: quote failed
 
Old 07-21-2011, 11:59 AM   #10
numa
LQ Newbie
 
Registered: Jul 2006
Location: Bath, uk
Distribution: PCLinuxOS; CentOS; Distributions developed with Wind River Linux 4.1
Posts: 19

Rep: Reputation: 0
I found another reason for which it would useful to chmod symbolic links: To change the permissions of busybox symbolic links to stop certain users from been able to su (http://www.cromwell-intl.com/securit...ardening.html: Limit the set of people able to attempt to become root).
Hopefully there is another solution.
 
Old 07-22-2011, 02:19 AM   #11
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,310

Rep: Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039
As far as 'locking' a file (& in Linux its all files) against changes go, only root (or equiv) can use the chattr cmd http://linux.die.net/man/1/chattr; you'll want the -i flag
 
Old 07-22-2011, 05:27 AM   #12
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,043

Rep: Reputation: 375Reputation: 375Reputation: 375Reputation: 375
Quote:
Originally Posted by numa View Post
I found another reason for which it would useful to chmod symbolic links: To change the permissions of busybox symbolic links to stop certain users from been able to su (http://www.cromwell-intl.com/securit...ardening.html: Limit the set of people able to attempt to become root).
Hopefully there is another solution.
Users could still create their own symlinks to busybox, with whatever name they want and whatever permissions they wish.
 
Old 07-22-2011, 07:37 AM   #13
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,422

Rep: Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157Reputation: 1157
You should be using ACLs (Access Control Lists) anyway.
 
Old 07-26-2011, 09:49 AM   #14
numa
LQ Newbie
 
Registered: Jul 2006
Location: Bath, uk
Distribution: PCLinuxOS; CentOS; Distributions developed with Wind River Linux 4.1
Posts: 19

Rep: Reputation: 0
Hi,

Thank you very much for your answers and sorry for taking so much time to reply (due the lack of internet connection over the last few days).

chrism01: I don't think that this command will help me as I would like to stop an user from running the su command, which is an existing link to busybox.

i92guboj: Same as above.

sundialsvcs: This is sounds like a good solution but this command doesn't exist on my system and I am not sure how to add it. I am running a ramfs image loaded into RAM (embedded device) and the filesystem is rootfs. I might need to able Tmpfs POSIX Access Control Lists in the kernel but I doubt that will provide me with the command.

Would anybody have any idea how to add setfacl into an image based on busybox?
Is this command come from a package, a kernel option or a busybox option?

Cheers,

Emmanuel

It doesn't look like if Wind River is supporting ACL package.

Last edited by numa; 07-26-2011 at 10:06 AM. Reason: More research done
 
Old 07-27-2011, 12:53 AM   #15
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,310

Rep: Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039Reputation: 2039
Quote:
I would like to stop an user from running the su command,
That's a slightly different qn.
In that case (bear in mind I've only got Solaris in front of me but principle is the same), remove other/world perms from su binary and ensure user is not root or in group owning su eg
Code:
> which su
/usr/bin/su
> ll /usr/bin/su
-r-sr-xr-x   1 root     sys        25748 May 25  2005 /usr/bin/su

# amend perms to
-r-sr-x---
As above, for more fine-grained limits, use ACLs if possible. How many users really need to use it.
You could also use sudo after doing the above.
 
  


Reply

Tags
suexec


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
symbolic link/ commad name change. YellowFin Linux - Software 1 10-14-2005 12:26 AM
Fedora/JPilot Symbolic Link and Chmod get reset on boot tonyzoc Linux - Hardware 3 12-13-2004 02:15 PM
chmod permission change? tidasu Linux - Newbie 7 08-30-2004 07:02 PM
using chmod to change file permission kiwidoc Linux - Newbie 3 07-25-2004 07:39 AM
chmod 755 won't change file permission. duffboygrim Linux - General 11 04-29-2004 07:17 PM


All times are GMT -5. The time now is 10:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration