From owner-p4-projects@FreeBSD.ORG Sun Aug 3 14:26:29 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 55E5D37B401; Sun, 3 Aug 2003 14:26:29 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B733837B404 for ; Sun, 3 Aug 2003 14:26:28 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28E9D43FBD for ; Sun, 3 Aug 2003 14:26:28 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h73LQR0U042893 for ; Sun, 3 Aug 2003 14:26:27 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h73LQROm042890 for perforce@freebsd.org; Sun, 3 Aug 2003 14:26:27 -0700 (PDT) Date: Sun, 3 Aug 2003 14:26:27 -0700 (PDT) Message-Id: <200308032126.h73LQROm042890@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 35437 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2003 21:26:30 -0000 http://perforce.freebsd.org/chv.cgi?CH=35437 Change 35437 by rwatson@rwatson_paprika on 2003/08/03 14:25:56 More notes on file permissions and UFS protections, to be fleshed out into text later. Affected files ... .. //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#8 edit Differences ... ==== //depot/projects/trustedbsd/doc/en_US.ISO8859-1/books/developers-handbook/secarch/chapter.sgml#8 (text+ko) ==== @@ -1376,7 +1376,7 @@ - UFS Mode Field + UFS Owner and Mode Fields @@ -1392,20 +1392,35 @@ generally implemented only at open() for files, per operation for directories -file - write - read - execute +file, device, fifo + write write/append file contents, truncate file, map writable + read read file contents, map readable + execute permission to execve() apply to data of file; also user namespace extended attributes system namespace extended attributes require suser - admin limited to owner, suser + admin limited to owner + + additional protections may apply to device objects as implemented + by the device driver. + +socket + write (connect) + read unused + execute unused + +symlink + permissions have no effect on symlink operations directory - write - read - execute + write (insert, delete) + read (list) + execute (lookup) + sticky bit special protection for objects in directory + must be object owner or directory owner to + delete/replace entries in the directory, + regardless of permissions apply to data of directory; also user namespace extended attributes system namespace extended attributes require suser @@ -1467,6 +1482,29 @@ requested creation mode for the operation, and the protections on the parent directory (specifically, the default ACL). +New UFS file system objects will be assigned the effective uid +of the authorizing credential as their owner uid. + +New UFS file system objects will be assigned a group equal to the +group of the directory in which the object is created. + +Setgid flag removed from new file system objects if the creating +credential is not a member of the group. + +Processes requesting the creation of the file provide two elements +used to calculate the new object's mode bits: an explicit creation +mode argument to the call creating the object, and an implicit +process umask, set by the umask() system call, which masks the +creation mode. + +In addition, the setgid bit will not be included in the mode of +a new object even if requested, if the object does not have a +group that appears in the process credential effective or extended +group. + +The sticky bit is only permitted for directory objects if the +authorizing credential is not privileged. + Note: composition of default ACL, umask, and cmode, are as defined in POSIX.1e; some other systems use alternative compositions.