Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Dec 2012 10:51:24 -0500
From:      "Mikhail T." <mi+thun@aldan.algebra.com>
To:        brooks@freebsd.org
Cc:        stable@FreeBSD.org
Subject:   What is "negative group permissions"? (Re: narawntapu security run output)
Message-ID:  <50D7287C.7020802@aldan.algebra.com>
In-Reply-To: <201212230805.qBN850Pj083122@narawntapu.narawntapu>
References:  <201212230805.qBN850Pj083122@narawntapu.narawntapu>

next in thread | previous in thread | raw e-mail | index | archive | help
On 23.12.2012 03:05, Charlie Root wrote:
> Checking negative group permissions:
>   8903027 -rw--w-r--  1 mi    www    794277 Oct 23 07:47:45 2007 /home/mi/public_html/syb/order/download.log
Hello!

The above started to appear in the daily security run output after I 
upgraded to 9.1. I don't understand, what this check is doing or why the 
above file is reported -- what's abnormal (warning-worthy) about 
allowing the web-server to write to, but not read a file? I did it on 
purpose to keep all files associated with a project together, but 
without inadvertently serving some of them...

The actual script generating this warning (110.neggrpperm) was added in 
2010 and meant to be off by default. There is no explicit mention of the 
knob daily_status_security_neggrpperm_enable in the log for 
etc/defaults/periodic.conf...

I understand, I can explicitly disable it, but I'm curious... Whether it 
should run by default or not, what is the purpose of it?

Thanks,

    -mi




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50D7287C.7020802>