LinuxAnswers Discussion This forum is to discuss articles posted to LinuxAnswers. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-20-2003, 07:12 PM
|
#1
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Rep:
|
DISCUSSION: Quick and Dirty Guide to Linux File Permissions
|
|
|
08-20-2003, 08:40 PM
|
#2
|
Senior Member
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307
Rep:
|
This article can be improved by touching on the chattr command as well
|
|
|
09-17-2003, 12:13 AM
|
#3
|
Member
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 333
Rep:
|
I see that the comments have dried up some time ago...
One suggestion, one comment: You could add some sentences about umask and what it does.
The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that we are writing that performs a useful function.") The target here are people new to Linux, and they may not know better. Fundamentally, such a script cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor the suid bit for scripts, so on linux one is safe. But Solaris has no such inhibitions, for example.
Just my 5cts on this peripheral issue. Nice article!
mlp
|
|
|
01-16-2004, 12:48 AM
|
#4
|
Member
Registered: Aug 2003
Location: Brisbane, Australia
Distribution: Red Hat Enterprise Linux 4
Posts: 120
Rep:
|
Quote:
Originally posted by mlp68
The comment is about this suid- "myscript" thing. I know it's just to show the recipe, but it suggests that it's ok to have such a script, while it's not. ("'myscript' is a shell script that we are writing that performs a useful function.") The target here are people new to Linux, and they may not know better. Fundamentally, such a script cannot be made unexploitable (path issues. temp file issues. IFS issues. Remaining race conditions that cannot be fixed. And so on and so on.) Because of that, the Linux kernel will not honor the suid bit for scripts, so on linux one is safe.
|
Firstly, i think that this is a very informative article. I really appreciate the authors help towards people who are new to Linux. This covers up pretty much everything that one needs to know about file permissions for basic usage.
Secondly, i think all that bashing from mlp68 was totally unwanted. As far as i know, no newbie will even think about 'myscript', they will concentrate on how to go ahead setting file permissions. I'm saying this from a newbie's point of view. I'm not a Linux 'Guru', but certainly not a newbie.
I know how a newbie (with considerable IQ) will think while reading the article and what he/she concludes from it.
I mean, how many newbies do you know who know anything about path issues, temp file issues, IFS issue etc??
Once again, i say that this is a very good article
Cheers
King Nothing
|
|
|
01-16-2004, 05:14 PM
|
#5
|
Member
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 333
Rep:
|
I wouldn't call my comment "bashing" - it's just a friendly comment.
M.
|
|
|
01-17-2004, 12:25 AM
|
#6
|
Member
Registered: Aug 2003
Location: Brisbane, Australia
Distribution: Red Hat Enterprise Linux 4
Posts: 120
Rep:
|
Maybe *Bashing* was an inappropriate word, but it did look like that to me.
No offense, but still all those things that you said were not necessary
King Nothing
|
|
|
04-30-2004, 01:22 AM
|
#7
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Original Poster
Rep:
|
I didn't consider it bashing, in fact I'm still trying to figure out what the hell mlp68 is talking about. It was just a random example, and i used the 'myscript' thing because I wanted to fit chmod + x into the example. Wouldn't work with an image or mp3 in the example would it .
BTW I just wanted to say that I did not add the parts about suid or the sticky bit, they were added by whoever proofread the article prior to posting it here.
Cheers folks....
|
|
|
04-30-2004, 01:55 PM
|
#8
|
Member
Registered: Jun 2002
Location: NY
Distribution: Gentoo,RH
Posts: 333
Rep:
|
Hi Bulliver,
first off, sorry if others perceived my comment as bashing. It's a great and well-written article. I was just referring to that paragraph
Quote:
SETUID
Normally, when a program is run it inherits all the rights/restrictions of the user that executed it. if a user can't read /var/log/messages, then neither can any program/script executed by that user. There is a way around this, we again use the chmod command but add a '4' at the beginning of the permission string, example:
code:chmod 4755 myscript
this would execute 'myscript' with the permissions of the files owner(such as root, if the file is own by root),and not the normal user executing 'myscript'. As you can imagine, this should be used sparingly if at all, as it defeats the normal permission structure,and can lead to security issues.
|
You say the right warning words, but since the linux kernel doesn't honor the SUID bit for scripts at all (because of the security flaws I listed, and some more), this wouldn't work. But worse, other flavors of Unix don't have those inhibitions about suid scripts, and that's where it could become dangerous (that's why I said a novice could take away from here that it is ok, while it's not). You can have a suid (or guid) executable, but not a script.
Have a look at http://www.phrack.org/phrack/47/P47-05 (question 10) which I just googled. It has a nice summary and explanation of the 4 easiest exploits. (There are more.)
Again, I didn't mean to diminish your great article, just point out this thing. Sorry if it came across the wrong way.
mlp
|
|
|
05-14-2004, 12:46 AM
|
#9
|
Member
Registered: Apr 2003
Distribution: Xubuntu
Posts: 113
Rep:
|
i think its a great article. i've never really understood how absolute modes worked because the explanations i've read ramble on about bits and such, but your illustration made it verry simple. thanks again
|
|
|
05-14-2004, 01:38 AM
|
#10
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Original Poster
Rep:
|
Thanks man, means a lot...
|
|
|
05-15-2004, 03:04 AM
|
#11
|
Member
Registered: Mar 2004
Location: Colorado, US
Distribution: Debian "Sarge"
Posts: 228
Rep:
|
Quote:
i think its a great article. i've never really understood how absolute modes worked because the explanations i've read ramble on about bits and such, but your illustration made it verry simple. thanks again
|
Hell YES !!!! this was in my mind all the time I was reading it. For the first time I get to understand that thingy.
And by it, I also inherited knowledge about WHAT in ALL heavens, my fstab should have for my winXP partitions and the DARN umask attribute !!!!!
This newbie has gotten alot of benefit from the article. THANKS !!
What I didnt see explained there, and still want to know (might be out of scope) is: How do I add a exacuatable to a specific group. (I.E. I want 'cdburn' to be executed by users in group 'cdwrite')
|
|
|
05-15-2004, 05:48 AM
|
#12
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Original Poster
Rep:
|
Qucho:
Thanks for your kind words, now for your question...
Code:
chown root:cdwrite cdburn
chmod g+x cdburn
Thats it! All the info was in the guide...you just need to string the principles together.
btw, I used a colon in the chown command above, since using a period is now deprecated. Better update the guide....
Thanks again.
|
|
|
05-15-2004, 09:05 PM
|
#13
|
Member
Registered: Mar 2004
Location: Colorado, US
Distribution: Debian "Sarge"
Posts: 228
Rep:
|
bulliver,
Thanks for everything. Yes, you are right, it is in the guide.
[edit] I readed the article a couple more times, and finally I got it right.
Seem to me I can not say 'thanks' enough times :P LOL...
Last edited by Qucho; 05-15-2004 at 09:11 PM.
|
|
|
07-14-2004, 11:25 AM
|
#14
|
LQ Newbie
Registered: May 2004
Distribution: Mandrake 9.2
Posts: 5
Rep:
|
You should mention console.perms (usually in /etc/security/). When it comes to devices permissions, it has the final word and chmod are useless. http://www.gentoo.org/doc/en/devfs-guide.xml#doc_chap4 gives more explanations.
|
|
|
07-30-2004, 11:10 AM
|
#15
|
Member
Registered: Jul 2004
Location: Los Angeles
Distribution: Mandrake 2007
Posts: 109
Rep:
|
chattr
Good guide about file permissions, also we have available "chattr" which I find very usefull. Let's say we want a direcotry with a read only permision. Probably there is more than way to set this directory read only, but using chattr is very easy.
chattr +i dir_name
Bingo! No body can write to it. Not even root.
These were my two cents,
Raxxal
|
|
|
All times are GMT -5. The time now is 01:55 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|