Execute permission for root?
Robert Watson
robert at cyrus.watson.org
Mon Nov 29 15:13:37 GMT 1999
On Mon, 29 Nov 1999, Peter J. Holzer wrote:
> On 1999-11-28 15:38:38 -0800, Andrew Morgan wrote:
> > I believe if you take the POSIX.1e draft as a whole,
>
> I don't have it at hand to check, but
There's the normal access control algorithm listed, but I thought there
was another reference that I'm having trouble finding now. See below.
> > it becomes clear
> > that the root user is no different from any other user. Thus,
> >
> > no to this one:
> > > -rwxr--r-- 1 andy users 143642 Nov 28 20:52 script1
> >
> > yes if root is in the 'users' group and no otherwise:
> > > -rw-r-xr-- 1 andy users 143642 Nov 28 20:52 script2
> >
> > no to this one:
> > > -rw-r--r-- 1 andy users 143642 Nov 28 20:52 noscript
>
> If this is true, it deviates from the behaviour of current Unix systems.
> On Linux (2.2.x), HP-UX (10.20) and Solaris (7), root can execute the
> first two scripts (regardless of the group) but not the third one.
The way I implemented this in my FreeBSD ACLs distribution was to see if
any party was granted execute permission in the ACL, in which case root
would succeed. This is consistent with the current BSD behavior of
allowing root permission if any of owner, group, or other has execute
permission. There is however a good question as to why root would want to
execute the code, given that that would yield root privileges to whoever
could write to the file :-). I'm currently mulling on this one, and
leaning towards moving back to the POSIX.1e evaluation algorithm for
execute purposes, or making it a configurable flag at runtime using the
BSD sysctl mechanism, with a "traditional" mode, and a "safe/compliant"
mode.
Robert N M Watson
robert at fledge.watson.org http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list