Controlling read access

John Almberg jalmberg at identry.com
Wed Aug 6 19:27:53 UTC 2008


> | Hi Greg,
> |
> | I tried your sequence, but it didn't seem to work. Or, perhaps it  
> worked
> | and the PRIVSEP option doesn't do what I expect it to. Logging in  
> as a
> | normal user gives that user root privileges.
> |
> | This seems pretty scary to me. Not so bad, since the user is  
> locked into
> | his own directory, but enough power to hurt themselves, which is too
> | much power, IMHO. My users aren't experts. I can definitely see them
> | clicking the delete key by accident.
> |
> | Back to digging for info...
> |
> | Thanks: John
> |
>
> Hi John,
>
> After logging into pure-ftpd, even if I type "cd /", I cannot break  
> out
> of my home directory.  Because of the way UNIX permissions work, if  
> root
> ~ (or any other user) owns a file in my home directory, I can still
> delete it.

>   If you want to prevent that, you'll have to also use the
> chflags command to protect file that you don't want to be removed by
> anyone.
>

Wow... I learn something new in this job every day, but usually not  
as new as that. This completely revises what I thought I knew about  
permissions. If you had asked me this morning if I could delete a  
file owned by root with permissions set to 400 from my own directory,  
I would have said absolutely not. How wrong I would have been...

I guess I can do this because I own the directory that the foreign  
file is in, and I should have control over that directory...

Yes... If I create a directory within my own home directory and  
change the ownership of that directory to root:nobody, then I cannot  
delete any file in that directory.

Okay, this is starting to make sense. I guess I just never noticed  
this small detail of Unix file permissions. Very interesting!

I skimmed through the chflags section of "Absolute FreeBSD" on my  
first read through... It rang a bell when you mentioned it, but I'd  
completely forgotten about it. I'm going to read it much more  
carefully this time :-)

Anyway, thanks to everyone who has helped me out with my week-long  
struggle with 'simple' old FTP.

"Challenge your assumptions." That's the lesson of *this* week!

Brgds: John





More information about the freebsd-questions mailing list