Re: Permissions Question & Re: Permissions advice needed
On Tuesday 09 January 2007 1:01 pm, [EMAIL PROTECTED] wrote: > On 1/8/07, Kirk Strauser <[EMAIL PROTECTED]> wrote: >> You could configure sudo to give him access to run that one >> command as root. > One has to be very careful about giving out such access! > root has much power. Hence "sudo", where you're giving them exactly one permission: the ability to execute one specific read-only command. -- Kirk Strauser pgpiZgdAhrYaY.pgp Description: PGP signature
RE: Permissions advice needed.
To clarify a point, the following line, This works well as this is the only non-root suid file on the system should be replaced with This works well as this is the only "non-root accessable" suid file on the system. Cheers, Brett. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Davidson Sent: Wednesday, 10 January 2007 8:53 a.m. To: freebsd-questions@freebsd.org Subject: FW: Permissions advice needed. -Original Message- From: Malcolm Kay [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 January 2007 6:03 p.m. To: freebsd-questions@freebsd.org Cc: Brett Davidson Subject: Re: Permissions advice needed. On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: > I have a curious problem. > > I need an executable file to be owned by a user's uid and gid so they > can run it. Malcolm: A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? Brett: This file is being run via suexec in Apache, so yes, both uid and gid need to match in order for the file to be run. This particular system is running a shared-hosting webserver and utilising php-cgi and suexec appears to be the easiest way of providing inter-site isolation. The only problem with that is that you need a wrapper in order to provide customised php.ini settings for each site via the PHPRC environment variable. That wrapper is the file I am concerned about here. > HOWEVER, I don't want them to be able to modify or delete the file > and/or it's permissions. Another program will do that. Malcolm: Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Brett:I only want one particular file in the directory to be untouchable so directory permissions aren't helpful. Directory permissions only go part of the way as the file has to be read-only as well. Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the MAC_BSDEXTENDED filesystem firewall has been enhanced. If I use that, make the file suid (harmless since it's already owned by the user), then the ugidfw rule below all works well : "ugidfw add subject not uid 0 object suid rx" This works well as this is the only non-root suid file on the system. In other systems where this may not be the case the rule should still be harmless as these suid files SHOULD only have rx permissions for non-root users anyway. :-) The only gotcha to that would be during program upgrades performed via a non-root user; the rule will either need to be relaxed or an additional specific rule could be placed above it to allow suid modifications to any specific non-root owned programs that may be in place. Cheers, Brett. > > This, under standard Unix permissions, is a tad difficult. :-) > > ACL's don't help here as the owner of a file has the ability to change > permissions. > > I could set the immutable bit (Linux term for the schg flag) but the > modifying program does not recognise this flag and will thus fail to > modify the file. > (I have no control over the modifying program). > > Any ideas? > > I don't want to go down the line of using BSD MAC but I'm starting to > think I may have too just to be able to prevent the user from > modifying ONE file! (I'm not even sure I could implement this using > MAC anyway). > > Cheers, > Brett. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Permissions advice needed.
Unfortunately, as I expounded to Malcolm Lay, in this application (a shared-hosting webserver) suexec is being used which does not traverse symbolic links. :-( MAC_BSDEXTENDED in Bsd6.2 solves the problem very nicely. Cheers, Brett. From: George Vanev [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 January 2007 7:42 p.m. To: Brett Davidson Subject: Re: Permissions advice needed. Brett, Why don't you make a symbolic link to that file. You may set read, write and execute permissions if you wish... doesn't matter. The users will be able to run your executable via the link, but they won't be able to modify it. On 1/8/07, Brett Davidson <[EMAIL PROTECTED]> wrote: I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> " -- George Vanev ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FW: Permissions advice needed.
-Original Message- From: Malcolm Kay [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 January 2007 6:03 p.m. To: freebsd-questions@freebsd.org Cc: Brett Davidson Subject: Re: Permissions advice needed. On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: > I have a curious problem. > > I need an executable file to be owned by a user's uid and gid so they > can run it. Malcolm: A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? Brett: This file is being run via suexec in Apache, so yes, both uid and gid need to match in order for the file to be run. This particular system is running a shared-hosting webserver and utilising php-cgi and suexec appears to be the easiest way of providing inter-site isolation. The only problem with that is that you need a wrapper in order to provide customised php.ini settings for each site via the PHPRC environment variable. That wrapper is the file I am concerned about here. > HOWEVER, I don't want them to be able to modify or delete the file > and/or it's permissions. Another program will do that. Malcolm: Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Brett:I only want one particular file in the directory to be untouchable so directory permissions aren't helpful. Directory permissions only go part of the way as the file has to be read-only as well. Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the MAC_BSDEXTENDED filesystem firewall has been enhanced. If I use that, make the file suid (harmless since it's already owned by the user), then the ugidfw rule below all works well : "ugidfw add subject not uid 0 object suid rx" This works well as this is the only non-root suid file on the system. In other systems where this may not be the case the rule should still be harmless as these suid files SHOULD only have rx permissions for non-root users anyway. :-) The only gotcha to that would be during program upgrades performed via a non-root user; the rule will either need to be relaxed or an additional specific rule could be placed above it to allow suid modifications to any specific non-root owned programs that may be in place. Cheers, Brett. > > This, under standard Unix permissions, is a tad difficult. :-) > > ACL's don't help here as the owner of a file has the ability to change > permissions. > > I could set the immutable bit (Linux term for the schg flag) but the > modifying program does not recognise this flag and will thus fail to > modify the file. > (I have no control over the modifying program). > > Any ideas? > > I don't want to go down the line of using BSD MAC but I'm starting to > think I may have too just to be able to prevent the user from > modifying ONE file! (I'm not even sure I could implement this using > MAC anyway). > > Cheers, > Brett. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Permissions Question & Re: Permissions advice needed
The following suggestion should work for both problems and avoid the difficulties I saw with the other solutions. Write an executable (Korn shell) script owned by the owner of the files to be examined (thus he should have all the access he needs) which checks the user-id of its caller [effective and/or original] (to make sure unauthorized users don't get access) and the current date against an end-date (to shut off access at the desired date automatically), probably use the julian date to make checking easier. While I have your attention, does anybody know of jobs for any or all of the following: C/C++, Korn shell scripts, and SQL (Sybase) programmers. I live in the NYC suburbs area (Rockland Cty) and I'm willing to telecommute and maybe even relocate. My resume can be sent by email upon request. On 1/8/2007, "Andy Greenwood" <[EMAIL PROTECTED]> wrote >On 1/8/07, Kirk Strauser <[EMAIL PROTECTED]> wrote: > On Monday 08 January 2007 12:07 pm, Jay Chandler wrote: > >> I've got a user who needs to be able to view (read only) the aliases >> file. We'll grant him root access a few weeks after the eventual >> heat-death of the universe, so how would you all go about doing this? >> >> You could configure sudo to give him access to run that one >> command as root. One has to be very careful about giving out such access! root has much power. On 8 Jan 2007 13:24:58, Kirk Strauser <[EMAIL PROTECTED]> wrote > On Monday 08 January 2007 12:57 pm, Andy Greenwood wrote: >> I've never used them, but wasn't ACL written just for this scenario? > Perhaps, but that seems like a lot more effort to accomplish a > relatively easy job. Would work, but it doesn't take into account the time limitation (>> We'll grant him root access a few weeks). On 8 Jan 2007 15:07:01, Robert Huff <[EMAIL PROTECTED]> wrote > Jay Chandler writes: (snip) >> Hand him some sheets of printout? Waste of paper (and trees). Also, one can't use UNIX tools on the data (e.g., grep , editors) to put some of the data in other docs. >> >> Sadly, the data change too often for this to be effective. > Copy the file evey N minutes, then change ownership and > permissions? Again, too much work for the owner. On 08 Jan 2007 13:19:32 Jay Chandler <[EMAIL PROTECTED]> wrote >Robert Huff wrote: >> Jay Chandler writes: >> >>(snip) >> Copy the file evey N minutes, then change ownership and >> permissions? >>(snip) > Probably the simplest way to do it-- just wanted to make sure I wasn't > overlooking something silly. > Thanks! Too much work for the one copying unless he has a script do it maybe as a cron job. On 9 Jan 2007 08:43:11, "Brett Davidson" <[EMAIL PROTECTED]> wrote (on Subject: Permissions advice needed.) > > I have a curious problem. > > I need an executable file to be owned by a user's uid and gid so they > can run it. A user can run a script/binary file whose uid and gid differ from his (Just give "other" 'rx' permission.) If you want to give such access only to one user, put him in an ACL. Give him 'rx' permission; he won't be able to modify the file. Anyway, why must the executable file be owned by the user running it? > HOWEVER, I don't want them to be able to modify or delete the file > and/or it's permissions. Another program will do that. > This, under standard Unix permissions, is a tad difficult. :-) "difficult"??? I don't see that. > ACL's don't help here as the owner of a file has the ability to > change permissions. > I could set the immutable bit (Linux term for the schg flag) but the > modifying program does not recognise this flag and will thus fail to > modify the file. > (I have no control over the modifying program). > Any ideas? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Permissions advice needed.
Malcolm Kay wrote: On Tue, 9 Jan 2007 04:02 pm, Garrett Cooper wrote: Why does he need access to aliases though? For mail program purposes? -Garrett I think you may have mixed up two threads with very similar subject lines. I see no reference to aliases in this thread. (Confusing isn't it) Malcolm Yeah, I pick interesting times to start threads it would seem. :-) We're doing some group membership stuff through the aliases file, and this guy helps administer some of them in a tertiary sense. The correct way to do this is of course through our LDAP directory, but that would of course make entirely too much sense... -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: user to computer ratio too high. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Permissions advice needed.
On Tue, 9 Jan 2007 04:02 pm, Garrett Cooper wrote: > Malcolm Kay wrote: > > On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: > >> I have a curious problem. > >> > >> I need an executable file to be owned by a user's uid and > >> gid so they can run it. > > > > A user does not need to own a file to be able to run it. All > > they need is execute permission. So what is the real > > problem? > > > >> HOWEVER, I don't want them to be able to modify or delete > >> the file and/or it's permissions. Another program will do > >> that. > > > > Deleting or creating a file requires write access in the > > directory containg the file reference -- it has nothing to > > do with the permissions on the file itself. > > > > Malcolm > > > >> This, under standard Unix permissions, is a tad difficult. > >> :-) > >> > >> ACL's don't help here as the owner of a file has the > >> ability to change permissions. > >> > >> I could set the immutable bit (Linux term for the schg > >> flag) but the modifying program does not recognise this > >> flag and will thus fail to modify the file. > >> (I have no control over the modifying program). > >> > >> Any ideas? > >> > >> I don't want to go down the line of using BSD MAC but I'm > >> starting to think I may have too just to be able to prevent > >> the user from modifying ONE file! (I'm not even sure I > >> could implement this using MAC anyway). > >> > >> Cheers, > >> Brett. > > Make a specialized setuid script or program to do that, and > set the sticky bit appropriately if you don't want them to > have direct access to the file. Just make sure that others > don't have access to the file. > > Why does he need access to aliases though? For mail program > purposes? -Garrett I think you may have mixed up two threads with very similar subject lines. I see no reference to aliases in this thread. (Confusing isn't it) Malcolm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Permissions advice needed.
Malcolm Kay wrote: On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Malcolm This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. Make a specialized setuid script or program to do that, and set the sticky bit appropriately if you don't want them to have direct access to the file. Just make sure that others don't have access to the file. Why does he need access to aliases though? For mail program purposes? -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Permissions advice needed.
On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: > I have a curious problem. > > I need an executable file to be owned by a user's uid and gid > so they can run it. A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? > HOWEVER, I don't want them to be able to modify or delete the > file and/or it's permissions. Another program will do that. Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Malcolm > > This, under standard Unix permissions, is a tad difficult. :-) > > ACL's don't help here as the owner of a file has the ability > to change permissions. > > I could set the immutable bit (Linux term for the schg flag) > but the modifying program does not recognise this flag and > will thus fail to modify the file. > (I have no control over the modifying program). > > Any ideas? > > I don't want to go down the line of using BSD MAC but I'm > starting to think I may have too just to be able to prevent > the user from modifying ONE file! (I'm not even sure I could > implement this using MAC anyway). > > Cheers, > Brett. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Permissions advice needed.
I have a curious problem. I need an executable file to be owned by a user's uid and gid so they can run it. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. This, under standard Unix permissions, is a tad difficult. :-) ACL's don't help here as the owner of a file has the ability to change permissions. I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to modify the file. (I have no control over the modifying program). Any ideas? I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying ONE file! (I'm not even sure I could implement this using MAC anyway). Cheers, Brett. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"