file permission baffle

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Mar 30 02:15:12 PST 2003 

On Sun, Mar 30, 2003 at 03:11:18AM -0500, David Banning wrote:
> I have these links from my web directory; 
> 
> root# cd /usr/local/www/data/fax/
> root# ls -l
> 
> lrwxr-xr-x  1 root  wheel  18 Mar 29 16:37 chantelle -> /usr/chantelle/fax
> lrwxrwxrwx  1 root  wheel  14 Mar 10 00:15 david -> /usr/david/fax
> 
> I can't change the permissions on them. It's because the permissions
> are dependent on the linked directory right? Doesn't seem so;

You can use 'chmod -h' to change the permissions on the link itself. eg.

    % ln -s bar baz 
    /tmp/foo:% ls -la 
    total 0
    -rw-r--r--  1 matthew  wheel    0 Mar 30 10:13 bar
    lrwxr-xr-x  1 matthew  wheel    3 Mar 30 10:14 baz@ -> bar
    % chmod -h 664 baz 
    % ls -la 
    total 0
    -rw-r--r--  1 matthew  wheel    0 Mar 30 10:13 bar
    lrw-rw-r--  1 matthew  wheel    3 Mar 30 10:14 baz@ -> bar

When you open a file or directory via a symbolic link, first you need
sufficient permissions to read the link itself --- think of it as a
tiny little file that simply contains the name of the file that should
really be opened.  However, once that has been done, the system
automatically switches to opening the link target instead, and it's
the permissions on the target and its containing directory that have
the most effect practically.

There's a '-h' flag to chown(1) that works equivalently for changing
ownership.

However, in general, you don't need to fiddle with link permissions
and ownership.  root:wheel ownership and lrwxrwxrwx permissions will
work just fine.
 
> root# ls -ld /usr/chantelle/fax
> drwxrwxrwx  2 chantelle  wheel  512 Mar 30 02:26 /usr/chantelle/fax
> root# ls -ld /usr/david/fax
> drwxrwxrwx  2 david  wheel  512 Mar 30 02:40 /usr/david/fax
> root# 
> 
> Even going further upstream doesn't show anything;
> 
> root# ls -ld /usr/chantelle
> drwxr-xr-x  7 chantelle  wheel  1024 Mar 29 23:13 /usr/chantelle
> root# ls -ld /usr/david
> drwxr-xr-x  68 david  wheel  5632 Mar 29 22:23 /usr/david
> 
> I am having a problem writing to the top dir shown, (chantelle)
> but not the following one (david).

Hmmm... I think you're barking somewhat up the wrong tree here.
Permissions are too lax, if anything --- I'd certainly change the
permissions on those personal fax directories to 755 or 775.

The question is, what is the UID of the process that is attempting to
write to those fax directories?  Is it a well known Fax management
package or something home brewed?  Either way permissions need to be
controlled.  The process either has to have a real UID of root and be
able to set it's effective UID to the owner of the directory (see
seteuid(2)), or it has to belong to the same group as the group
ownership of the directories, and group write permission has to be set
on the directories.  In the latter case, it helps to make sure that
any files created also have group write permission or the directory
owner won't be able to modify them.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030330/ff6f2755/attachment.bin

More information about the freebsd-questions mailing list