LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-01-2014, 10:29 AM   #1
keshavan
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Rep: Reputation: Disabled
setfsuid has no effect on access


I am trying to do file operations depending on logged-in user in my java web application. For this, I have used JNI native implementation to set the fs uid & fs gid to the logged-in user's uid and gid. Now, file operations are allowed only if the logged-in user has permissions.

I also want to retrieve whether the logged-in user has read/write/execute permissions for a file. Tried to use the access, faccessat system calls but they do not seem to be using the fs uid.

How do I get the file permissions for a logged-in user?
 
Old 11-02-2014, 05:04 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Users don't have file permissions... They have UID/GID, and capabilities (usually minimal).

Files and directories have access permissions that are associated with the UID/GID assigned to the file. So users only have permissions when their UID/GID is matched against a specific file, and THEN the permissions associated with the file define what the user can do.
 
Old 11-02-2014, 06:46 AM   #3
keshavan
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks Pollard for the inputs on the internal storage.

Found a simple way of solving the problem. I am sure that the solution is incomplete. Also, it does not take ACLs into account. However, even if access permissions were not accurate, the web application does not corrupt FS and at-most we get a permission denied error while performing file operations.

Suppose userName is the user logged-in into web application & path is the file path,

struct passwd *pw = getpwnam(userName);
if (pw == NULL) {
return NULL;
}
jint fill[3];//rwx - 1 indicates success, 0 indicates failure
if(pw->pw_uid == 0) {
fill[0] = fill[1] = fill[2] = 1;
} else {
struct stat info;
stat(path, &info);
int mode = info.st_mode;

if(pw->pw_uid == info.st_uid) {
fill[0] = mode & S_IRUSR ? 1 : 0; /* 3 bits for user */
fill[1] = mode & S_IWUSR ? 1 : 0;
fill[2] = mode & S_IXUSR ? 1 : 0;
} else if(pw->pw_gid == info.st_gid) {
fill[0] = mode & S_IRGRP ? 1 : 0; /* 3 bits for group */
fill[1] = mode & S_IWGRP ? 1 : 0;
fill[2] = mode & S_IXGRP ? 1 : 0;
} else {
fill[0] = mode & S_IROTH ? 1 : 0; /* 3 bits for group */
fill[1] = mode & S_IWOTH ? 1 : 0;
fill[2] = mode & S_IXOTH ? 1 : 0;
}
}
 
Old 11-02-2014, 06:57 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Why not use "getuid"?

Basically, you just want the access function. You just have to specify what access you want to be tested.

BTW, you reference "the web application" - a web user is not the same as a "login". The only login web servers use is the one the server is running under, not what somebody "logged in" is.

The easiest way to access a file is still to just try to access it. If it doesn't work, you get an error.
 
Old 11-02-2014, 07:21 AM   #5
keshavan
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Sorry, I assumed a lot of things while posting. The user logged-in into the web application is also a linux user. getuid would return the uid of the user in whose context process is running. However, I need the uid of the linux user logged in into the application.
 
Old 11-02-2014, 09:56 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by keshavan View Post
Sorry, I assumed a lot of things while posting. The user logged-in into the web application is also a linux user. getuid would return the uid of the user in whose context process is running. However, I need the uid of the linux user logged in into the application.
Ok.

But that still won't grant the web server access. And you might not even have access to the path to retrieve the permissions - as all of that is evaluated using the UID of web server.
 
Old 11-02-2014, 11:43 PM   #7
keshavan
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
The process (not the web server process) doing the file operations is running as root.
 
Old 11-03-2014, 05:12 AM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,600

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Ok. So the system is insecure (general assumption because web servers aren't all that secure - they are too large and do too many things to be verified).

Second, if the process is running as root, the best way to test is to set the effective UID, then make the access as that user.

The problem that exists is that you aren't testing the path to the file. The stat (operating as root) always has access to any intermediate directories or passing through symbolic links. Access via the actual user that gets tested every time.
 
1 members found this post helpful.
Old 11-03-2014, 06:58 AM   #9
keshavan
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
The process which does file operations is multi-threaded. Setting uid did not work. Have not tried setting effective uid. Before doing the file operation, we verify if the path is navigable (read + execute permissions for all parent folders).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Effect of Windows ACL on rsync file access Z038 Linux - Security 0 01-06-2010 02:57 AM
For 3D Effect ramesh mohite Fedora 1 10-22-2007 04:24 PM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 09:06 PM
Mac-like effect ? mykrob Linux - General 1 08-16-2004 05:12 PM
htpasswd... not in effect 3AM Fedora 1 06-11-2004 01:02 PM


All times are GMT -5. The time now is 03:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration