On 25.06.15 11:48, David Champion wrote:
> There are use cases for allowing specific roles/service accounts
> access to your unvetted email attachment files. (I would expect these
> generally have to do with file sharing/export.) Conventionally the only
> way around this is to proactively degrade your data security and allow
> world (or group) access.
If the attachment is written with unprivileged permissions, then it can
hardly be a greater security threat than any other harmless file a user
might write. I.e. If the OP were to create attachment files with his
ownership, no execute permissions, and some group to which he belongs,
then where's the risk?
There is no implicit problem with allowing group access. It exists to be
used, and serves well to provide broader access _without_ unnecessarily
compromising security. If group access is granted, then it is because
group access is required. It cannot then be a degradation of security.
(I have used it for years on source code repositories to securely
determine who had access to what parts of the code base.)
To provide group access, without faffing with mutt - and more
conveniently allow for multiple groups for the purpose, it is probably
most convenient to simply set the sgid bit on the destination directory
for a category of attachments, since "When SGID is set on a directory,
newly created files will inherit the gid of the directory , not that of
the user creating the file." To wit:
# mkdir /tmp/test
# chgrp mail /tmp/test # May have privilege. Make your own.
# chmod g+s,o+w /tmp/test
# ls -ld /tmp/test
drwxr-srwx 2 root mail 1024 Jun 26 17:33 /tmp/test
$ touch /tmp/test/fred
$ ls -l /tmp/test/fred
-rw-r--r-- 1 erik mail 0 Jun 26 17:33 /tmp/test/fred
With both the directory and each attachment now having the desired group
permissions, they are accessible to all members of that group. Another
directory might publish to another crowd. That is the purpose of group
permission in *nix, and it serves as well here as it has done in the
past.
That much, at least, is pretty simple. Is there a case for the OP
needing more?
Erik
--
(5) It is always possible to agglutinate multiple separate problems
into a single complex interdependent solution. In most cases
this is a bad idea.
RFC-1925
