How secure are nested/indirect file access restrictions?
Hello! Let's assume the following file permissions: drwxr-xr-x root root /srv drwxr-x--- root srv-www /srv/www drwxrws--x root dev-1/srv/www/dom-1 -rw-rw-r-- usr-1 dev-1/srv/www/dom-1/index.php While the html subfolder perms allow write access only to root and users within dev-1, index.php would be world-readable, but "indirectly" filtered by the perms of www, which denies access to anyone that is not a group member of srv-www. (of course, any member of dev-1 must be a member of srv-www, too) The idea is to distinct between one user (file-owner), one group with write access (e.g. developer) and one group with limited read access (webserver), and to deny access to anyone else at the same time, using standard unix access rights. Are there any security implications? By now, I only came across that remounting the file structure would break the permissions in effect. But (re)mounting shall be allowed by root only. /andy
Re: systemd and initial tmpfs mounts
Michael Biebl wrote: > Am 08.12.2016 um 13:32 schrieb Andreas Born: >> [...] >> /lib/systemd/system/tmp.mount as unit file for /tmp, but where are the other >> tmpfs mounts configured? Which part of systemd is responsible for them? [...] > > systemd has hard-coded defaults for them [1]. Thanks, that's exactly what I was looking for. Just didn't thought it could be hard-coded. > Overriding those entries is simple: Just add an entry to /etc/fstab with > the options you want. Works perfectly. > [1] > https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/src/core/mount-setup.c#n73 regards, andy -- signature.asc Description: OpenPGP digital signature
Re: systemd automount - Parameter TimeoutIdleSec ignored?
Michael Biebl wrote: > Am 08.12.2016 um 13:33 schrieb Andreas Born: >> Hi all, >> I need a device to be automatically mounted on access and unmounted when >> being >> idle. My /etc/fstab entry: >> >> /dev/sdc1 /mnt/auto ext4 defaults,noauto,x-systemd.automount,\ >> x-systemd.idle-timeout=10 0 0 >> >> Systemd correctly creates the mnt-auto.mount und mnt-auto.automount unit >> files >> and automounting works perfectly. >> >> x-systemd.idle-timeout=10 is getting translated to TimeoutIdleSec=10s within >> mnt-auto.automount. According to the manpages (sytemd.automount(5)), the >> parameter TimeoutIdleSec specifies the time interval after which the device >> is >> to be be unmounted: >> >> "TimeoutIdleSec: Configures an idle timeout. Once the mount has been idle for >> the specified time, systemd will attempt to unmount." >> >> However, this never happens. It seems that this parameter is completely >> ignored and the device never unmounted. >> >> Is it a bug, or what did i miss to get it working? > > Are you sure nothing is keeping that FS busy? yes, I'm quite sure. The device is empty, lsof shows no open handle, and the only access to the filesystem was 'ls -al ' to trigger the automount and to list its content. I've installed systemd from the debian-backports repository, because the current stable version for jessie doesn't offer this functionality. Could it be a compatibility issue? regards, andy -- signature.asc Description: OpenPGP digital signature
systemd automount - Parameter TimeoutIdleSec ignored?
Hi all, I need a device to be automatically mounted on access and unmounted when being idle. My /etc/fstab entry: /dev/sdc1 /mnt/auto ext4 defaults,noauto,x-systemd.automount,\ x-systemd.idle-timeout=10 0 0 Systemd correctly creates the mnt-auto.mount und mnt-auto.automount unit files and automounting works perfectly. x-systemd.idle-timeout=10 is getting translated to TimeoutIdleSec=10s within mnt-auto.automount. According to the manpages (sytemd.automount(5)), the parameter TimeoutIdleSec specifies the time interval after which the device is to be be unmounted: "TimeoutIdleSec: Configures an idle timeout. Once the mount has been idle for the specified time, systemd will attempt to unmount." However, this never happens. It seems that this parameter is completely ignored and the device never unmounted. Is it a bug, or what did i miss to get it working? regards, andy -- Debian Jessie Systemd 230-7~bpo8+2
systemd and initial tmpfs mounts
Hi all, earlier in SysV there was /etc/default/tmpfs to configure the initial mounts like /run, /run/lock, /dev/shm, /tmp and so on. Now with systemd there is /lib/systemd/system/tmp.mount as unit file for /tmp, but where are the other tmpfs mounts configured? Which part of systemd is responsible for them? (I need to setup size and options) regards, andy -- Debian Jessie Systemd 230-7~bpo8+2
