Sorry, it is very counter intuitive to me. So what you say is this: if there is an open terminal before chmod 700, then I can use that terminal to access "apple", but after I close terminal B, there is no way to access that apple directory? Neither with a shall window, nor with another software? In some cases this may lead to serious security issues, doesn't it? Let me ask this specific question: is there any way to access apple, other than the already open terminal B? If not, then it is ok, but there is any way to access apple, then I have to do recursive chown and chmod to make sure nobody can access anything below /opt/experiment.
7. Mar 2018 14:06 by to...@tuxteam.de: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, Mar 07, 2018 at 11:54:43AM +0100, > epsilon...@tutanota.com> wrote: >> 7. Mar 2018 11:27 by >> to...@tuxteam.de>> : >> >> > I can't reproduce, either. Once the chown to root happens, non-root >> > user can't touch files in directory. Ext4. >> >> I double checked. Sorry the previous example was not good. To reproduce the >> issue, you have to create another directory inside the top one. Here is a >> working example: >> >> # terminal A >> >> su >> >> mkdir /opt/experiment/ >> >> chown aristo:aristo /opt/experiment >> >> mkdir /opt/experiment/apple >> >> chown aristo:aristo /opt/experiment/apple >> >> # terminal B, >> >> whoami # aristo >> >> cd /opt/experiment/apple >> >> touch aaa # OK > > So far so good. Not surprising, IMO. > >> # terminal A >> >> chown root:root /opt/experiment >> >> chmod 700 /opt/experiment >> >> >> >> >> # terminal B >> >> pwd # Gives /opt/experiment/apple >> >> >> touch bbb # OK bbb is created > > Also OK. Or is that surprising to you? Aristo has write permissions for > apple. > >> cd /opt/experiment/apple # Gives permission denied > > That's also OK. While aristo has permissions for apple (x is relevant > here), it hasn't for experiment, so it can't "traverse" it. > >> # new terminal C >> >> cd /opt/experiment/apple # Denied >> >> touch /opt/experiment/apple/ccc # Denied > > Same as above: the resolution of the whole path requires traversing > each path's element in turn, and it fails at "experiment". There's > even a man page for that: see "man path_resolution" (part of the > manpages package). > >> Note that, after chmod 700, in terminal B you can still create files, >> although you cannot cd into apple. > > Yes, it is supposed to work like that. > > Cheers > - -- tomás > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > > iEYEARECAAYFAlqfx8YACgkQBcgs9XrR2kYdEQCdFdtZP3/AlpzwuUtWJSu8T9V3 > fb4An3WxROamXckNGTdH8FRaO9H1IFfo > =MbqQ > -----END PGP SIGNATURE-----