Re: File and directory permissions
- Date: Wed, 7 Mar 2018 12:14:10 +0100 (CET)
- From: <epsilon491@xxxxxxxxxxxx>
- Subject: Re: File and directory permissions
Sorry, it is very counter intuitive to me.
So what you say is this: if there is an open terminal before chmod 700, then I can use that terminal to access "apple", but after I close terminal B, there is no way to access that apple directory? Neither with a shall window, nor with another software?
In some cases this may lead to serious security issues, doesn't it?
Let me ask this specific question: is there any way to access apple, other than the already open terminal B? If not, then it is ok, but there is any way to access apple, then I have to do recursive chown and chmod to make sure nobody can access anything below /opt/experiment.
7. Mar 2018 14:06 by tomas@xxxxxxxxxx:
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, Mar 07, 2018 at 11:54:43AM +0100, epsilon491@xxxxxxxxxxxx wrote:7. Mar 2018 11:27 by tomas@xxxxxxxxxx:
> I can't reproduce, either. Once the chown to root happens, non-root
> user can't touch files in directory. Ext4.
I double checked. Sorry the previous example was not good. To reproduce the issue, you have to create another directory inside the top one. Here is a working example:
# terminal A
chown aristo:aristo /opt/experiment
chown aristo:aristo /opt/experiment/apple
# terminal B,
whoami # aristo
touch aaa # OK
So far so good. Not surprising, IMO.# terminal A
chown root:root /opt/experiment
chmod 700 /opt/experiment
# terminal B
pwd # Gives /opt/experiment/apple
touch bbb # OK bbb is created
Also OK. Or is that surprising to you? Aristo has write permissions for
apple.cd /opt/experiment/apple # Gives permission denied
That's also OK. While aristo has permissions for apple (x is relevant
here), it hasn't for experiment, so it can't "traverse" it.# new terminal C
cd /opt/experiment/apple # Denied
touch /opt/experiment/apple/ccc # Denied
Same as above: the resolution of the whole path requires traversing
each path's element in turn, and it fails at "experiment". There's
even a man page for that: see "man path_resolution" (part of the
Note that, after chmod 700, in terminal B you can still create files, although you cannot cd into apple.
Yes, it is supposed to work like that.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----