 |
|
|
|
Next: security problems with execv
|
| Author |
Message |
External
Since: Nov 05, 2007
Posts: 5
|
(Msg. 1) Posted: Mon Nov 05, 2007 7:12 am
Post subject: sticky bits, owner,
Archived from groups: comp>os>linux>security (more info?)
|
|
|
Hi all,
have the following setup:
- two groups zope and users
- an user zope in group zope
- an user a in group users (main group) and in group zope
- an user b in group users (main group) and in group zope
A directory /var/lib/zope has following permissions:
drwxrwsr-x zope zope /var/lib/zope
So it is writable by all users in group zope, and a files
created here will also be owned by group zope.
When user b creates a file here, it will get the following
permissions:
-rw-r--r-- b zope /var/lib/zope/a_file
As a result, user a will not be able to modify this file.
How can I achieve this?
Some things I already have thought of:
1) A possible solution would be to automatically set the
g+w bit to newly created files. Is there any such mechanism
(like the +s bit for automatically setting the group)?
2) Another solution would be to automatically set the owner
of the file to "zope" instead of "b". But this does not
work (at least not by simply setting the u+s bit on the
directory).
And even *if* this worked, user b could not edit this file
afterwards, because the g+w bit is still now set...
I explicitly do not want to set umask for users a and/or b
to something like 0002...
Any hints?
Thanks and regards
-stefan- |
|
| Back to top |
|
 | |
External
Since: Jul 18, 2007
Posts: 3
|
(Msg. 2) Posted: Mon Nov 05, 2007 7:12 am
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
In news:pan.2007.11.05.12.12.22.982326@hora-obscura.de,
Stefan Palme <kleiner.RemoveThis@hora-obscura.de> wrote:
> drwxrwsr-x zope zope /var/lib/zope
That is NOT a "sticky bit"; that is an sgid bit. A sticky bit would be set
via "chmod +t /var/lib/zope":
drwxrwsr-t zope zope /var/lib/zope |
|
| Back to top |
|
| |
External
Since: Dec 17, 2006
Posts: 154
|
(Msg. 3) Posted: Mon Nov 05, 2007 8:03 am
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On 2007-11-05, Stefan Palme <kleiner.TakeThisOut@hora-obscura.de> wrote:
>
> Hi all,
>
> have the following setup:
>
> - two groups zope and users
> - an user zope in group zope
> - an user a in group users (main group) and in group zope
> - an user b in group users (main group) and in group zope
>
> A directory /var/lib/zope has following permissions:
>
> drwxrwsr-x zope zope /var/lib/zope
>
> So it is writable by all users in group zope, and a files
> created here will also be owned by group zope.
>
> When user b creates a file here, it will get the following
> permissions:
>
> -rw-r--r-- b zope /var/lib/zope/a_file
>
>
> As a result, user a will not be able to modify this file.
>
> How can I achieve this?
>
>
> Some things I already have thought of:
>
> 1) A possible solution would be to automatically set the
> g+w bit to newly created files. Is there any such mechanism
> (like the +s bit for automatically setting the group)?
>
A cron job could run at regular intervals to set the permissions of all
files in that directory. Make sure that it only works on plain files
and directories, not links.
> 2) Another solution would be to automatically set the owner
> of the file to "zope" instead of "b". But this does not
> work (at least not by simply setting the u+s bit on the
> directory).
> And even *if* this worked, user b could not edit this file
> afterwards, because the g+w bit is still now set...
>
> I explicitly do not want to set umask for users a and/or b
> to something like 0002...
>
On some Linux systems, each user has his/her own group. Changing the
umask would not be a problem in that case.
> Any hints?
> Thanks and regards
> -stefan-
> |
|
| Back to top |
|
| |
External
Since: May 16, 2007
Posts: 100
|
(Msg. 4) Posted: Mon Nov 05, 2007 8:51 am
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I demand that Stefan Palme may or may not have written...
> [I] have the following setup:
> - two groups zope and users
> - an user zope in group zope
> - an user a in group users (main group) and in group zope
> - an user b in group users (main group) and in group zope
> A directory /var/lib/zope has following permissions:
> drwxrwsr-x zope zope /var/lib/zope
> So it is writable by all users in group zope, and a files created here will
> also be owned by group zope.
> When user b creates a file here, it will get the following permissions:
> -rw-r--r-- b zope /var/lib/zope/a_file
> As a result, user a will not be able to modify this file.
> How can I achieve this?
[snip]
setfacl.
Setting the default ACLs for that directory and all subdirectories should be
sufficient:
# setfacl -R --set d:g::rwx /var/lib/zope
(If not done as root, you won't be able to set the ACLs for files owned by
others.)
This overrides the umask setting, effectively enforcing 0002 for
newly-created objects ("getfacl /var/lib/zope" to see why); and the ACLs are
propagated to newly-created subdirectories.
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + At least 4000 million too many people. POPULATION LEVEL IS UNSUSTAINABLE.
The hand that kindles cannot quench the flame. |
|
| Back to top |
|
| |
External
Since: Nov 05, 2007
Posts: 5
|
(Msg. 5) Posted: Mon Nov 05, 2007 11:30 am
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Mon, 05 Nov 2007 14:51:56 +0000, Darren Salt wrote:
> I demand that Stefan Palme may or may not have written...
> [snip]
>
> setfacl.
>
> Setting the default ACLs for that directory and all subdirectories should be
> sufficient:
> # setfacl -R --set d:g::rwx /var/lib/zope
>
> (If not done as root, you won't be able to set the ACLs for files owned by
> others.)
>
> This overrides the umask setting, effectively enforcing 0002 for
> newly-created objects ("getfacl /var/lib/zope" to see why); and the ACLs are
> propagated to newly-created subdirectories.
Thanks, this is probably exactly what I am searching for.
Currently "getfacl /var/lib/zope" gives me:
user::rwx
group::rwx
other::r-x
But I guess, this happens, because I don't have support for ACLs
in my running kernel (according to the setfacl man page in this case
simply the "normal" permission bits will be used).
Is it a problem to simply recompile the kernel with ACL support enabled?
Or do I have to re-create the filesystem in the next step?
Thanks and regards
-stefan- |
|
| Back to top |
|
| |
External
Since: Nov 05, 2007
Posts: 9
|
(Msg. 6) Posted: Mon Nov 05, 2007 11:30 am
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Stefan Palme wrote:
> On Mon, 05 Nov 2007 14:51:56 +0000, Darren Salt wrote:
>
>> I demand that Stefan Palme may or may not have written...
>> [snip]
>>
>> setfacl.
>>
>> Setting the default ACLs for that directory and all subdirectories should be
>> sufficient:
>> # setfacl -R --set d:g::rwx /var/lib/zope
>>
>> (If not done as root, you won't be able to set the ACLs for files owned by
>> others.)
>>
>> This overrides the umask setting, effectively enforcing 0002 for
>> newly-created objects ("getfacl /var/lib/zope" to see why); and the ACLs are
>> propagated to newly-created subdirectories.
>
> Thanks, this is probably exactly what I am searching for.
>
> Currently "getfacl /var/lib/zope" gives me:
> user::rwx
> group::rwx
> other::r-x
>
> But I guess, this happens, because I don't have support for ACLs
> in my running kernel (according to the setfacl man page in this case
> simply the "normal" permission bits will be used).
>
> Is it a problem to simply recompile the kernel with ACL support enabled?
> Or do I have to re-create the filesystem in the next step?
>
> Thanks and regards
> -stefan-
>
You just need to mount the filesystem with the "acl" mount option:
# mount -o remount,acl <mount-point or dev>
Also, you probably want to use this instead:
# setfacl -R --set d:g::rwX /var/lib/zope
(note the capital 'X').
-Wayne |
|
| Back to top |
|
| |
External
Since: May 16, 2007
Posts: 100
|
(Msg. 7) Posted: Mon Nov 05, 2007 4:26 pm
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I demand that Stefan Palme may or may not have written...
> On Mon, 05 Nov 2007 14:51:56 +0000, Darren Salt wrote:
[snip; how to enforce group write permissions?]
>> setfacl.
>> Setting the default ACLs for that directory and all subdirectories should
>> be sufficient:
>> # setfacl -R --set d:g::rwx /var/lib/zope
[snip]
> Thanks, this is probably exactly what I am searching for.
> Currently "getfacl /var/lib/zope" gives me:
> user::rwx
> group::rwx
> other::r-x
Those would be the default ACL entries. You can use chmod to alter them; see
acl(5).
[snip]
> Is it a problem to simply recompile the kernel with ACL support enabled?
I've just done so on my laptop; no problems.
> Or do I have to re-create the filesystem in the next step?
No, but you should make sure that the ACL mount option is enabled for every
partition on which you want ACL support. You can do this by adding "acl" as a
mount option to the appropriate entries in /etc/fstab or by setting it in the
appropriate superblocks ("tune2fs -o acl /dev/foo" for ext2 or ext3; you'll
want this for the root fs!); and you can do it on-the-fly by using "mount
/bar -o remount,acl".
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Output less CO2 => avoid boiling weather. TIME IS RUNNING OUT *FAST*.
Bad filename, 0:1 |
|
| Back to top |
|
| |
External
Since: Nov 05, 2007
Posts: 5
|
(Msg. 8) Posted: Tue Nov 06, 2007 2:07 am
Post subject: Re: sticky bits, owner, [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Mon, 05 Nov 2007 14:03:29 -0500, Bill Marcum wrote:
> On some Linux systems, each user has his/her own group. Changing the
> umask would not be a problem in that case.
It *would* be a problem, because the users in question
have access to other directories with similar group
sticky bit settings (but for other groups, not "zope"),
for which I don't want them to have 0002 as umask.
The ACL approach seems to be the more effective one,
thanks for all hints.
Regards
-stefan- |
|
| Back to top |
|
| |
| Related Topics: | NIS+PAM+SSH+Firewalling.....all in the mix - I've encountered an issue in trying to setup an iptables firewall (shorewall) on a debian etch server (hostname zeus).....
problem with sftp rpm - Hi all I downloaded 'sftp-0.9.9-4.src.rpm' and when I run the command "rpm -ivh sftp-0.9.9-4.src.rpm", it giv...
[Samba] ACL + sticky bit - Lo folks, I got a little question. Ive set up samba 3.0.0 + RH 8. And since ACL within samba only works on share nivea...
is there a sticky note application in Red Hat Linux? - Hi folks, I am really new to Linux. Basically, I was using windows all the time, just a few days ago, somebody else..
Backup Owner - Attention, Would you like to generate at least 1.5K to 3.5K daily just for returning phone calls? If you have a..
unknown file owner - Gents: Running fully patched RedHat_8: Configuring a newly DLoaded version of MOZ, I discovered the.. |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
Linux