LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion
User Name
Password
LinuxAnswers Discussion This forum is to discuss articles posted to LinuxAnswers.

Notices

Reply
 
Search this Thread
Old 08-20-2003, 07:12 PM   #1
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Rep: Reputation: 66
Post DISCUSSION: Quick and Dirty Guide to Linux File Permissions


This thread is to discuss the article titled: Quick and Dirty Guide to Linux File Permissions
 
Old 08-20-2003, 08:40 PM   #2
Azmeen
Senior Member
 
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307

Rep: Reputation: 46
This article can be improved by touching on the chattr command as well
 
Old 09-17-2003, 12:13 AM   #3
mlp68
Member
 
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 328

Rep: Reputation: 31
I see that the comments have dried up some time ago...

One suggestion, one comment: You could add some sentences about umask and what it does.

The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that we are writing that performs a useful function.") The target here are people new to Linux, and they may not know better. Fundamentally, such a script cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor the suid bit for scripts, so on linux one is safe. But Solaris has no such inhibitions, for example.

Just my 5cts on this peripheral issue. Nice article!

mlp
 
Old 01-16-2004, 12:48 AM   #4
king_nothingzzz
Member
 
Registered: Aug 2003
Location: Brisbane, Australia
Distribution: Red Hat Enterprise Linux 4
Posts: 120

Rep: Reputation: 15
Quote:
Originally posted by mlp68
The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that we are writing that performs a useful function.") The target here are people new to Linux, and they may not know better. Fundamentally, such a script cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor the suid bit for scripts, so on linux one is safe.
Firstly, i think that this is a very informative article. I really appreciate the authors help towards people who are new to Linux. This covers up pretty much everything that one needs to know about file permissions for basic usage.

Secondly, i think all that bashing from mlp68 was totally unwanted. As far as i know, no newbie will even think about 'myscript', they will concentrate on how to go ahead setting file permissions. I'm saying this from a newbie's point of view. I'm not a Linux 'Guru', but certainly not a newbie.

I know how a newbie (with considerable IQ) will think while reading the article and what he/she concludes from it.

I mean, how many newbies do you know who know anything about path issues, temp file issues, IFS issue etc??

Once again, i say that this is a very good article

Cheers

King Nothing
 
Old 01-16-2004, 05:14 PM   #5
mlp68
Member
 
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 328

Rep: Reputation: 31
I wouldn't call my comment "bashing" - it's just a friendly comment.

M.
 
Old 01-17-2004, 12:25 AM   #6
king_nothingzzz
Member
 
Registered: Aug 2003
Location: Brisbane, Australia
Distribution: Red Hat Enterprise Linux 4
Posts: 120

Rep: Reputation: 15
Maybe *Bashing* was an inappropriate word, but it did look like that to me.
No offense, but still all those things that you said were not necessary

King Nothing
 
Old 04-30-2004, 01:22 AM   #7
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Original Poster
Rep: Reputation: 66
I didn't consider it bashing, in fact I'm still trying to figure out what the hell mlp68 is talking about. It was just a random example, and i used the 'myscript' thing because I wanted to fit chmod + x into the example. Wouldn't work with an image or mp3 in the example would it .

BTW I just wanted to say that I did not add the parts about suid or the sticky bit, they were added by whoever proofread the article prior to posting it here.

Cheers folks....
 
Old 04-30-2004, 01:55 PM   #8
mlp68
Member
 
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 328

Rep: Reputation: 31
Hi Bulliver,

first off, sorry if others perceived my comment as bashing. It's a great and well-written article. I was just referring to that paragraph


Quote:
SETUID

Normally, when a program is run it inherits all the rights/restrictions of the user that executed it. if a user can't read /var/log/messages, then neither can any program/script executed by that user. There is a way around this, we again use the chmod command but add a '4' at the beginning of the permission string, example:

code:chmod 4755 myscript


this would execute 'myscript' with the permissions of the files owner(such as root, if the file is own by root),and not the normal user executing 'myscript'. As you can imagine, this should be used sparingly if at all, as it defeats the normal permission structure,and can lead to security issues.
You say the right warning words, but since the linux kernel doesn't honor the SUID bit for scripts at all (because of the security flaws I listed, and some more), this wouldn't work. But worse, other flavors of Unix don't have those inhibitions about suid scripts, and that's where it could become dangerous (that's why I said a novice could take away from here that it is ok, while it's not). You can have a suid (or guid) executable, but not a script.

Have a look at http://www.phrack.org/phrack/47/P47-05 (question 10) which I just googled. It has a nice summary and explanation of the 4 easiest exploits. (There are more.)

Again, I didn't mean to diminish your great article, just point out this thing. Sorry if it came across the wrong way.

mlp
 
Old 05-14-2004, 12:46 AM   #9
thrice
Member
 
Registered: Apr 2003
Location: ft worth tx
Distribution: Gentoo 2005.0
Posts: 108

Rep: Reputation: 15
i think its a great article. i've never really understood how absolute modes worked because the explanations i've read ramble on about bits and such, but your illustration made it verry simple. thanks again
 
Old 05-14-2004, 01:38 AM   #10
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Original Poster
Rep: Reputation: 66
Thanks man, means a lot...
 
Old 05-15-2004, 03:04 AM   #11
Qucho
Member
 
Registered: Mar 2004
Location: Colorado, US
Distribution: Debian "Sarge"
Posts: 228

Rep: Reputation: 30
Quote:
i think its a great article. i've never really understood how absolute modes worked because the explanations i've read ramble on about bits and such, but your illustration made it verry simple. thanks again
Hell YES !!!! this was in my mind all the time I was reading it. For the first time I get to understand that thingy.

And by it, I also inherited knowledge about WHAT in ALL heavens, my fstab should have for my winXP partitions and the DARN umask attribute !!!!!

This newbie has gotten alot of benefit from the article. THANKS !!

What I didnt see explained there, and still want to know (might be out of scope) is: How do I add a exacuatable to a specific group. (I.E. I want 'cdburn' to be executed by users in group 'cdwrite')
 
Old 05-15-2004, 05:48 AM   #12
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,731
Blog Entries: 4

Original Poster
Rep: Reputation: 66
Qucho:

Thanks for your kind words, now for your question...
Code:
chown root:cdwrite cdburn 
chmod g+x cdburn
Thats it! All the info was in the guide...you just need to string the principles together.

btw, I used a colon in the chown command above, since using a period is now deprecated. Better update the guide....

Thanks again.
 
Old 05-15-2004, 09:05 PM   #13
Qucho
Member
 
Registered: Mar 2004
Location: Colorado, US
Distribution: Debian "Sarge"
Posts: 228

Rep: Reputation: 30
bulliver,

Thanks for everything. Yes, you are right, it is in the guide.

[edit] I readed the article a couple more times, and finally I got it right.

Seem to me I can not say 'thanks' enough times :P LOL...

Last edited by Qucho; 05-15-2004 at 09:11 PM.
 
Old 07-14-2004, 11:25 AM   #14
OnyxG7
LQ Newbie
 
Registered: May 2004
Distribution: Mandrake 9.2
Posts: 5

Rep: Reputation: 0
You should mention console.perms (usually in /etc/security/). When it comes to devices permissions, it has the final word and chmod are useless. http://www.gentoo.org/doc/en/devfs-guide.xml#doc_chap4 gives more explanations.
 
Old 07-30-2004, 11:10 AM   #15
raxxal
Member
 
Registered: Jul 2004
Location: Los Angeles
Distribution: Mandrake 2007
Posts: 109

Rep: Reputation: 15
chattr

Good guide about file permissions, also we have available "chattr" which I find very usefull. Let's say we want a direcotry with a read only permision. Probably there is more than way to set this directory read only, but using chattr is very easy.

chattr +i dir_name
Bingo! No body can write to it. Not even root.

These were my two cents,
Raxxal
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DISCUSSION: A Short Guide to Partitioning a Hard Drive for a Linux System moses LinuxAnswers Discussion 33 07-06-2014 12:36 PM
DISCUSSION: Quick and Dirty Backups jeremy LinuxAnswers Discussion 2 03-10-2006 10:56 AM
Quick and dirty cryptography guide. Linux.tar.gz Linux - Security 4 03-25-2005 02:16 PM
quick and dirty guide on installing GRUB markus1982 Linux - Software 1 05-26-2003 11:56 AM
quick and dirty guide on installing grub markus1982 Linux - General 0 04-10-2003 03:56 AM


All times are GMT -5. The time now is 05:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration