Web lists-archives.com

Re: File and directory permissions

Sorry, it is very counter intuitive to me.
So what you say is this: if there is an open terminal before chmod 700, then I can use that terminal to access "apple", but after I close terminal B, there is no way to access that apple directory? Neither with a shall window, nor with another software?
In some cases this may lead to serious security issues, doesn't it?
Let me ask this specific question: is there any way to access apple, other than the already open terminal B? If not, then it is ok, but there is any way to access apple, then I have to do recursive chown and chmod to make sure nobody can access anything below /opt/experiment.

7. Mar 2018 14:06 by tomas@xxxxxxxxxx:

Hash: SHA1

On Wed, Mar 07, 2018 at 11:54:43AM +0100, epsilon491@xxxxxxxxxxxx wrote:
7. Mar 2018 11:27 by tomas@xxxxxxxxxx:

> I can't reproduce, either. Once the chown to root happens, non-root
> user can't touch files in directory. Ext4.

I double checked. Sorry the previous example was not good. To reproduce the issue, you have to create another directory inside the top one. Here is a working example:

# terminal A


mkdir /opt/experiment/

chown aristo:aristo /opt/experiment

mkdir /opt/experiment/apple

chown aristo:aristo /opt/experiment/apple

# terminal B,

whoami # aristo

cd /opt/experiment/apple

touch aaa # OK

So far so good. Not surprising, IMO.
# terminal A

chown root:root /opt/experiment

chmod 700 /opt/experiment

# terminal B

pwd # Gives /opt/experiment/apple

touch bbb # OK bbb is created

Also OK. Or is that surprising to you? Aristo has write permissions for
cd /opt/experiment/apple # Gives permission denied

That's also OK. While aristo has permissions for apple (x is relevant
here), it hasn't for experiment, so it can't "traverse" it.
# new terminal C

cd /opt/experiment/apple # Denied

touch /opt/experiment/apple/ccc # Denied

Same as above: the resolution of the whole path requires traversing
each path's element in turn, and it fails at "experiment". There's
even a man page for that: see "man path_resolution" (part of the
manpages package).
Note that, after chmod 700, in terminal B you can still create files, although you cannot cd into apple.

Yes, it is supposed to work like that.

- -- tomás
Version: GnuPG v1.4.12 (GNU/Linux)