What is Negative permissions
In the daily security run I see the following: Checking setuid files and devices: Checking negative group permissions: 3791965 -rwxr--r-x 1 admin wheel 172 Mar 9 10:59:55 2011 /usr/home/admin/bin/noip_update.sh Is it just a reminder that the group has no x permissions or should I give those permissions? Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What is Negative permissions
On 23/09/2013 11:54, Leslie Jensen wrote: In the daily security run I see the following: Checking setuid files and devices: Checking negative group permissions: 3791965 -rwxr--r-x 1 admin wheel 172 Mar 9 10:59:55 2011 /usr/home/admin/bin/noip_update.sh Is it just a reminder that the group has no x permissions or should I give those permissions? Yes, basically. It's obviously very odd to give everyone OTHER than :wheel members permission to run it. What about user root in group wheel - is root allowed to run it? Actually, yes, even though you might think you've forbidden members of wheel. Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
What are negative permissions?
Can someone explainn to me what negative group permissions are? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What are negative permissions?
On Sun, Sep 16, 2012 at 9:57 PM, Gary Aitken free...@dreamchaser.orgwrote: Can someone explainn to me what negative group permissions are? In what context, sir? -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What are negative permissions?
On 16/09/2012 19:57, Gary Aitken wrote: Can someone explainn to me what negative group permissions are? It's where the group ownership of a file gives it fewer permissions than are allowed for the world in general. Suppose you have a file with these permissions and ownership: foo bar -rwx---r-x The owner -- foo -- has full read, write and execute permissions on the file. Anyone has read and execute permissions. But the group -- bar -- has no permissions. Now, logically, you might think that the world permissions would override the lack of group permissions, but in fact, that's not what happens. Permissions like that mean 'everyone *except* members of group bar can read and execute this. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: What are negative permissions?
El día Sunday, September 16, 2012 a las 08:37:48PM +0100, Matthew Seaman escribió: It's where the group ownership of a file gives it fewer permissions than are allowed for the world in general. Suppose you have a file with these permissions and ownership: foo bar -rwx---r-x ... So far so good (and correct) the theory. But, could you imagine a real world example where this makes any sense? thanks matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What are negative permissions?
On Sun, Sep 16, 2012 at 12:50 PM, Matthias Apitz g...@unixarea.de wrote: El día Sunday, September 16, 2012 a las 08:37:48PM +0100, Matthew Seaman escribió: It's where the group ownership of a file gives it fewer permissions than are allowed for the world in general. Suppose you have a file with these permissions and ownership: foo bar -rwx---r-x ... So far so good (and correct) the theory. But, could you imagine a real world example where this makes any sense? Group permissions are rather blunt, and if you want fine-grained access controls, you'll need to enable ACLs. However... Imagine, if you will, a group entitled guest, with the semantics you might normally associate with that name - then using negative group permissions on a directory effectively prevents traversal beyond that point for members of that group. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What are negative permissions?
Michael Sierchio ku...@tenebras.com wrote: On Sun, Sep 16, 2012 at 12:50 PM, Matthias Apitz g...@unixarea.de wrote: El dia Sunday, September 16, 2012 a las 08:37:48PM +0100, Matthew Seaman escribio: It's where the group ownership of a file gives it fewer permissions than are allowed for the world in general. Suppose you have a file with these permissions and ownership: foo bar -rwx---r-x ... So far so good (and correct) the theory. But, could you imagine a real world example where this makes any sense? Group permissions are rather blunt, and if you want fine-grained access controls, you'll need to enable ACLs. However... Imagine, if you will, a group entitled guest, with the semantics you might normally associate with that name - then using negative group permissions on a directory effectively prevents traversal beyond that point for members of that group. It's also 'convenient' for an anonymous ftp 'upload' directory -- set the upload directory permissions to '-w--w-rw-' and any 'username' in the 'anonymous' group can only upload files to that directory -- can't get a directory listing, read any files, or change directory. BUT, any 'non-anonymous' user _can_ do those things. There are many kinds of special case scenarios where it is desirable to make something 'generally available' to ths users, but -deny- access to a specific group of users. Negative permissions is a simple, and simplistic, approach to the issue -- but it is a 'traditional' one, from the days before extended access-control lists. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org