Execute permission for root?

Robert Watson robert at cyrus.watson.org
Mon Nov 29 15:13:37 GMT 1999 

On Mon, 29 Nov 1999, Peter J. Holzer wrote:

> On 1999-11-28 15:38:38 -0800, Andrew Morgan wrote:
> > I believe if you take the POSIX.1e draft as a whole,
> 
> I don't have it at hand to check, but

There's the normal access control algorithm listed, but I thought there
was another reference that I'm having trouble finding now.  See below.

> > it becomes clear
> > that the root user is no different from any other user. Thus,
> > 
> > no to this one:
> > > -rwxr--r--   1 andy     users      143642 Nov 28 20:52 script1
> > 
> > yes if root is in the 'users' group and no otherwise:
> > > -rw-r-xr--   1 andy     users      143642 Nov 28 20:52 script2
> > 
> > no to this one:
> > > -rw-r--r--   1 andy     users      143642 Nov 28 20:52 noscript
> 
> If this is true, it deviates from the behaviour of current Unix systems.
> On Linux (2.2.x), HP-UX (10.20) and Solaris (7), root can execute the
> first two scripts (regardless of the group) but not the third one.

The way I implemented this in my FreeBSD ACLs distribution was to see if
any party was granted execute permission in the ACL, in which case root
would succeed.  This is consistent with the current BSD behavior of
allowing root permission if any of owner, group, or other has execute
permission.  There is however a good question as to why root would want to
execute the code, given that that would yield root privileges to whoever
could write to the file :-).  I'm currently mulling on this one, and
leaning towards moving back to the POSIX.1e evaluation algorithm for
execute purposes, or making it a configurable flag at runtime using the
BSD sysctl mechanism, with a "traditional" mode, and a "safe/compliant"
mode.

  Robert N M Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list