negative group permissions?
Ian Lepore
freebsd at damnhippie.dyndns.org
Wed Feb 29 15:00:29 UTC 2012
On Wed, 2012-02-29 at 13:21 +0000, jb wrote:
> jb <jb.1234abcd <at> gmail.com> writes:
>
> > ...
> > I would suggest (if you can) that you change the .seq permissions to 0664 and
> > watch what happens to it - the purpose is to narrow down who/what changed its
> > mode.
> > Some history. logs. and some ad hoc "watch script" would do it.
>
> Take a look at "notify" feature (file, dir, event).
> http://www.freebsd.org/cgi/ports.cgi?query=notify&stype=all
> jb
I don't understand why everyone is focused on the 641 mode the file ends
up with. The code creates the file using 0661, and under a umask of 022
you end up with a file with 0641 permissions. How the write bit
disppeared from the group permissions doesn't seem to be germane to the
real question of why the code specifies world-exec access.
I don't think it's a legitimate attempt to leverage the negative
permissions quirk, because it doesn't effectively do so. It's not a
directory or executable file in the first place, so making it executable
for everyone except the owner and group is not some sort of subtle
security trick, it's just meaningless. I think the code is long overdue
for a fix to 0660 permissions when creating the file.
-- Ian
More information about the freebsd-current
mailing list