Controlling read access
John Almberg
jalmberg at identry.com
Wed Aug 6 19:27:53 UTC 2008
> | Hi Greg,
> |
> | I tried your sequence, but it didn't seem to work. Or, perhaps it
> worked
> | and the PRIVSEP option doesn't do what I expect it to. Logging in
> as a
> | normal user gives that user root privileges.
> |
> | This seems pretty scary to me. Not so bad, since the user is
> locked into
> | his own directory, but enough power to hurt themselves, which is too
> | much power, IMHO. My users aren't experts. I can definitely see them
> | clicking the delete key by accident.
> |
> | Back to digging for info...
> |
> | Thanks: John
> |
>
> Hi John,
>
> After logging into pure-ftpd, even if I type "cd /", I cannot break
> out
> of my home directory. Because of the way UNIX permissions work, if
> root
> ~ (or any other user) owns a file in my home directory, I can still
> delete it.
> If you want to prevent that, you'll have to also use the
> chflags command to protect file that you don't want to be removed by
> anyone.
>
Wow... I learn something new in this job every day, but usually not
as new as that. This completely revises what I thought I knew about
permissions. If you had asked me this morning if I could delete a
file owned by root with permissions set to 400 from my own directory,
I would have said absolutely not. How wrong I would have been...
I guess I can do this because I own the directory that the foreign
file is in, and I should have control over that directory...
Yes... If I create a directory within my own home directory and
change the ownership of that directory to root:nobody, then I cannot
delete any file in that directory.
Okay, this is starting to make sense. I guess I just never noticed
this small detail of Unix file permissions. Very interesting!
I skimmed through the chflags section of "Absolute FreeBSD" on my
first read through... It rang a bell when you mentioned it, but I'd
completely forgotten about it. I'm going to read it much more
carefully this time :-)
Anyway, thanks to everyone who has helped me out with my week-long
struggle with 'simple' old FTP.
"Challenge your assumptions." That's the lesson of *this* week!
Brgds: John
More information about the freebsd-questions
mailing list