Security more based off Group Permissions.

davikes · 06-18-2015, 02:32 PM

Could use some feedback. Was wondering what people's thoughts are setting up security more based off Groups in Linux. aka umask 707

I understand it wouldn't be "as secure" as file owner based but having files/folders default only being group accessible, then controlling access based on the group instead?

Thoughts, comments? good/bad.

Thanks

MensaWater · 06-18-2015, 03:21 PM

It is common to have files set so that both owner and group can access (007) but not common to try to prevent the owner from accessing. You'd have the owner in the same group as all the other users.

For more fine grained control you could use ACLs instead.

davikes · 06-18-2015, 03:35 PM

The idea is they would need to be in the group to have access. So if there not, then they wouldn't. It would put you on as the sort of default "owner" of it, but permissions would be via the group.

If you take them out of the group but give them 007 then they still would have access to the file/folder via the owner permission.

sgrlscz · 06-19-2015, 07:46 AM

If the owner doesn't have permission for the file, then it doesn't matter what group(s) the owner is in, access to the file will be denied.

User (owner) permissions take precedence over group permissions. So, with umask 707, assuming directory permissions allow, users would be able to create files/directories, but then they couldn't access them because as the owner, they don't have permission.

For example, here's what happens when you create a file with umask 707:

Code:

$ umask 707
$ ls file
ls: cannot access file: No such file or directory
$ echo "this is a test" >file
$ ls -l file
----rw----. 1 sgrlscz sgrlscz 15 Jun 19 08:33 file
$ cat file
cat: file: Permission denied
$ echo "this is another test" >>file
bash: file: Permission denied

As you can see, I can create the file (because the directory allows me to), but I can't read it or write to again.

davikes · 06-19-2015, 08:24 AM

Good point, although, interesting behavior as you are in the group that has access.

Was curious is that configurable to the group first, then owner? Guessing not.

sgrlscz · 06-19-2015, 08:49 AM

Quote:

Originally Posted by davikes

Good point, although, interesting behavior as you are in the group that has access.

Was curious is that configurable to the group first, then owner? Guessing not.

No. It's the defined behaviour. First match determines access (i.e. an 'if..else if..else').

If you are the owner, your access is defined by the user permission only. If you're not the owner, then if you're in the group, your permission will be determined by group access only. Finally, if you are not the owner or in the group, your access is determined by the other permission.

davikes · 06-19-2015, 09:31 AM

Interesting so

----rw----. 1 testuser users 0 Jun 19 09:11 test2.txt
----rw----. 1 root users 0 Jun 19 08:23 test.txt

cat test.txt
test

cat test2.txt
cat: test2.txt: Permission denied

So you'd almost have to force the file to be owned by someone else really for that to work but there's no real way to do that?

davikes · 06-19-2015, 10:26 AM

umask: 022

id testuser
uid=506(testuser) gid=100(users) groups=100(users)

-rw-r--r--. 1 root root 0 Jun 19 10:01 test1
-rw-r--r--. 1 root users 0 Jun 19 10:01 test2
-rw-r--r--. 1 testuser users 0 Jun 19 10:09 test3

echo "test1" > test1
-bash: test1: Permission denied
echo "test2" > test2
-bash: test2: Permission denied
echo "test3" > test3

cat test1
cat test2
cat test2
test3

----------------------

umask 007
touch test4

-rw-r--r--. 1 root root 0 Jun 19 10:01 test1
-rw-r--r--. 1 root users 5 Jun 19 10:04 test2
-rw-r--r--. 1 testuser users 6 Jun 19 10:13 test3
-rw-rw----. 1 testuser users 0 Jun 19 10:16 test4

echo "test4" > test4
cat test4
test4

--------------

Maybe umask 007 is more the answer? 002 would give read access to other/everyone.