LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-12-2019, 05:29 PM   #16
BarryQualp
LQ Newbie
 
Registered: Jun 2019
Posts: 9

Rep: Reputation: 0
Permissions Issues 774


if anyone is a domain admin in a w2k domain, they can take ownership of a folder and then change permissions on that folder.
 
Old 07-12-2019, 06:23 PM   #17
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,627

Rep: Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204
Quote:
Originally Posted by BW-userx View Post
Setting it to the s marker didn't do anything either.
You have the sticky bit on the user, not on the group.

Try g+s on the directory.
 
Old 07-12-2019, 06:34 PM   #18
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
Quote:
Originally Posted by scasey View Post
You have the sticky bit on the user, not on the group.

Try g+s on the directory.
Code:
sudo u-s,g+s
?

when I get a chance I'll bounce into another user and give that a go. I'm DL'ing at the moment.

Last edited by BW-userx; 07-12-2019 at 06:37 PM.
 
Old 07-13-2019, 01:18 AM   #19
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 895

Rep: Reputation: 469Reputation: 469Reputation: 469Reputation: 469Reputation: 469
Quote:
Originally Posted by scasey View Post
You have the sticky bit on the user, not on the group.

Try g+s on the directory.
Again: sticky is "+t" and for a directory is the "restricted deletion" bit
Quote:
The sticky bit works in a different way: while it has no effect on files, when used on a directory, all the files in said directory will be modifiable only by their owners. A typical case in which it is used, involves the /tmp directory. Typically this directory is writable by all users on the system, so to make impossible for one user to delete the files of another one, the sticky bit is set
while g+s sets the setgid (set group id) bit and only effects subsequent created files and subdirectories:
Quote:
When used on a directory, instead, the setgid bit alters the standard behavior so that the group of the files created inside said directory, will not be that of the user who created them, but that of the parent directory itself. This is often used to ease the sharing of files (files will be modifiable by all the users that are part of said group).
Both quotes from http://linuxconfig.org/how-to-use-sp...nd-sticky-bits
 
1 members found this post helpful.
Old 07-13-2019, 01:30 AM   #20
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,627

Rep: Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204
Quote:
Originally Posted by ehartman View Post
Again: sticky is "+t" and for a directory is the "restricted deletion" bit

while g+s sets the setgid (set group id) bit and only effects subsequent created files and subdirectories:

Both quotes from http://linuxconfig.org/how-to-use-sp...nd-sticky-bits
Thank you for clarifying...and I apologize for using the term incorrectly...I blame my mentors

That said, setgid will do what the OP wants, yes?
 
Old 07-13-2019, 07:15 AM   #21
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
so far this is not working... as I even came to believe that if two or more people where in the same group and a dir or file is too owned by same said group then whomever is attached to this group has all right that the group has on anything belonging to that group as well.

Where now that I am playing around with more than one user, all attached to the same primary group, which is 'users'. Still all that group gets is read permissions. where it should hae read write, executable if needed. So if I write a script by one user, and log in as a different user, then that user to should be able to not only run that script, but modify it too if needed, same for transferring files, (copy, paste, move).

Does not this take place on a system that has a web server setup on it? If I remember correctly when I delved into that momentarily. They had a set up where the permissions on the dir on the system side were given to a group to read, write, and maybe even execute. when anyone attached to that group had privileges to do.

Even across distros where I have a tri boot, 2 of them Linux. This still get the cannot write to, or change a file, or add files into a directory on a shared partition being used just for that.

It was never an issue because I've always used one user name and changed the primary group to user for both and match the UIDs GIDs to both Distros, now with multiple users in the same group and GID they cannot completely share a file or dir.
So this leaves me confused now.

I was thinking that if one gives a group itself designate rights, read, write, execute, then whomever is attached to this same said group all inherit everything that the group has, and thus no matter whomever it is as long as they are attached to this same said group then too adopt the same said privileges.

What I found is all that the users group has or gets is read privileges and that is it. If it was able to obtain read, write, and execute, then this would not be the/an issue.

Last edited by BW-userx; 07-13-2019 at 07:22 AM.
 
Old 07-13-2019, 07:21 AM   #22
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,110
Blog Entries: 3

Rep: Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980
Quote:
Originally Posted by BW-userx View Post
I was thinking that if one gives a group itself designate rights, read, write, execute, then whomever is attached to this same said group all inherit everything that the group has, and thus no matter whomever it is as long as they are attached to this same said group then too adopt the same said privileges.
Yes but only if the SetGID bit is set for that directory or you have used ACLs there to define a default set of permissions. See the blog link in post #3 above.
 
Old 07-13-2019, 07:27 AM   #23
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
Quote:
Originally Posted by Turbocapitalist View Post
Yes but only if the SetGID bit is set for that directory or you have used ACLs there to define a default set of permissions. See the blog link in post #3 above.
which is the s for setGID ? I'd have to go back and review, I just got up.

From what I remember reading about that setting to the S thing, is that it is not providing that in which I desire, or as I believe it should be. what is the use of group if all that are attached to it cannot have more then just read privileges? to me it looks like this ACL is an after thought, and it looks like I might have to dig into how to do ACL's.

Then comes that what about between two distros?
 
Old 07-13-2019, 07:35 AM   #24
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
It does not look too hard, I thought it required having to set up a file and whatever else , something like polkit and if I reinstall I got a back up them files to cut back on having to rewrite everything.

I got one distro wit just one user, and my other distro has three users, where one user is the same between the two. so this is going to be either interesting, and easy, or a pain.
 
Old 07-13-2019, 07:52 AM   #25
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
Maybe this is what I am missing,
Code:
When set on a file or directory, the sticky bit, or +t mode, means that only the owner (or root) can delete the file, regardless of which users have write access to this file/directory by way of group membership or ownership. This is useful when a file or directory is owned by a group through which a number of users share write access to a given set of files.
If I set the dir to be owned by the group, users, and give that dir read, write, execute, then whomever is within that group then has access to it to read, write, and execute. So whenever I create a dir I need to change ownership to a group, and even if I am using ACL's that too would need to be applied. this extra step everything that I create, be it a dir or file. I still would need to change permissions or ownership to that in which I created each and every time, (if I planing on keeping same said directory or file in use.)

Last edited by BW-userx; 07-13-2019 at 07:54 AM.
 
Old 07-13-2019, 04:49 PM   #26
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,627

Rep: Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204
Repeating #17, in which I used an incorrect term for what I was suggesting.
This time with the correct term.
Quote:
Originally Posted by scasey View Post
You have the setuid bit on the user, not the setgid bit on the group.

Try g+s on the directory.
Which would cause the directory to look like this:
Code:
drwsrwsr-x  2 mike  users 4096 Jun 28 13:44 .
and then new files and directories should be writeable by all members of the users group.

I think this suggestion got lost in the shuffle. I'm curious to know if it works.

Edit: I tried it, it still doesn't set the group write bit.
BUT changing the umask from 022 to 002 did set the group write bit on new files.
So. setgid to set the group ID (doh) to users, and set all user's umasks ot 0002
The umask may be in the ~/.bashrc. On my system it's in /etc/bashrc - so all users get the same umask.

Last edited by scasey; 07-13-2019 at 05:25 PM.
 
Old 07-13-2019, 05:30 PM   #27
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
Code:
[userx@arcomeo data1]$ mkdir testdir
[userx@arcomeo data1]$ chmod g+s testdir
[userx@arcomeo data1]$ ls -la testdir
total 8
drwxr-sr-x  2 userx users 4096 Jul 13 17:24 .
drwxrwxr-x 32 mike  users 4096 Jul 13 17:24 ..
[userx@arcomeo data1]$ touch testdir/me
[userx@arcomeo data1]$ ls -la testdir
total 8
drwxr-sr-x  2 userx users 4096 Jul 13 17:25 .
drwxrwxr-x 32 mike  users 4096 Jul 13 17:24 ..
-rw-r--r--  1 userx users    0 Jul 13 17:25 me
the file me gets owner rw, user r, other r
whereas user needs rw
Code:
[userx@arcomeo data1]$ rmdir testdir
rmdir: failed to remove 'testdir': Directory not empty
[userx@arcomeo data1]$ rm -r testdir
[userx@arcomeo data1]$ mkdir testdir
[userx@arcomeo data1]$ chmod u+s,g+s testdir
[userx@arcomeo data1]$ ls -la testdir
total 8
drwsr-sr-x  2 userx users 4096 Jul 13 17:27 .
drwxrwxr-x 32 mike  users 4096 Jul 13 17:27 ..
[userx@arcomeo data1]$ touch testdir/me
[userx@arcomeo data1]$ ls -la testdir
total 8
drwsr-sr-x  2 userx users 4096 Jul 13 17:28 .
drwxrwxr-x 32 mike  users 4096 Jul 13 17:27 ..
-rw-r--r--  1 userx users    0 Jul 13 17:28 me
same, file ends up with same permissions.

if I su mike, then vim the me file, it is read only.

tested this
Code:
mkdir testdir && setfacl -d -m g:users:rw testdir
was able to mod a file in that dir by all 3 users. Now I got a figure out how to change everything like chmod -R perhaps.

Last edited by BW-userx; 07-13-2019 at 05:44 PM.
 
Old 07-13-2019, 07:40 PM   #28
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,627

Rep: Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204Reputation: 1204
Cool.
Use find to exec setfacl and/or chmod, perhaps?
 
Old 07-13-2019, 07:46 PM   #29
BW-userx
LQ Guru
 
Registered: Sep 2013
Location: Somewhere in my head.
Distribution: FreeBSD/Slackware-14.2+/ArcoLinux
Posts: 9,070

Original Poster
Rep: Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901Reputation: 1901
Quote:
Originally Posted by scasey View Post
Cool.
Use find to exec setfacl and/or chmod, perhaps?
yeah I've been putting chmod in my script(s). then I just did a mass setfacl just cuz, doesn't hurt I suppose.

My option, but its too bad one cannot create a group then assign rwx if they wanted to that group, then the ones belonging to that group too get them rights upon creating dir and files, and not just read.

Last edited by BW-userx; 07-13-2019 at 07:47 PM.
 
Old 07-13-2019, 09:35 PM   #30
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,110
Blog Entries: 3

Rep: Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980Reputation: 1980
Quote:
Originally Posted by BW-userx View Post
whereas user needs rw
It's a matter of umask, if you have not used ACLs. You must tell the computer to allow both read and write:

Code:
umask
rm -r testdir
mkdir testdir

chgrp users testdir
chmod g=rwxs testdir
ls -ld testdir
touch testdir/foobar01
ls -lh testdir/

umask 0002

touch testdir/foobar02
touch testdir/foobar03
ls -lh testdir

umask
If you don't want to keep setting umask manually or have it set permanently in your shell's configuration file, then use an ACL to make the default the way you want it:

Code:
rmdir -r testdir02
mkdir testdir02

setfacl -b -m group:users:rwx,default:group:users:rw- testdir02/
touch testdir02/foobar01
touch testdir02/foobar02
ls -lh testdir02/
getfacl testdir02/*
That's assuming you have one of the EXT filesystems. In this use-case the BSD's default file systems have a more sensible behavior. I have no idea why EXT is designed to act like it does but it is a pain when it comes to shared files and directories.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Permissions Permissions Permissions! makem Linux - Newbie 13 07-30-2015 11:54 AM
DNS issues, Downloading issues, Web issues. UbuntuHelp Linux - Networking 1 08-28-2012 07:34 AM
New to linux, so so lost, auto mounting issues, permissions issues slowhand22 Linux - Newbie 2 02-10-2005 09:41 AM
getting a directory's permissions and creating a new one with the same permissions newbie1000101 Programming 1 04-10-2004 12:52 PM
Nvidia Geforce2 GTS, LG FLatron 774 noir-gel Linux - Hardware 3 02-10-2003 03:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration