From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 24 09:34:08 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 169DF106566B
	for <freebsd-questions@freebsd.org>;
	Fri, 24 Feb 2012 09:34:08 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 9195A8FC18
	for <freebsd-questions@freebsd.org>;
	Fri, 24 Feb 2012 09:34:07 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	q1O9Y21m091003
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>; Fri, 24 Feb 2012 09:34:02 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: OpenDKIM Filter v2.4.3 smtp.infracaninophile.co.uk q1O9Y21m091003
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1330076042;
	bh=UPWHF8t8/TMP3zUowtt03aa+H+UbNmDrwLkhWEzWiYo=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:References:
	In-Reply-To:Content-Type:Cc;
	b=sZfyMYE+L4W3CGLwYYDnvFaO/+AmolXTB/aMmbSxzPc/CE8RxBp7UEhTv8pMAGqtE
	O3PwRYQ8BAPcA5GXVLtSgDkiWBqZO63baHnYgsWujlqDPdVjm94yg22LTMTl8Qv6MH
	cwcv38lrAM75rlOr+1nxQO4lF4oOQ9HkK3OSEyUQ=
Message-ID: <4F47598A.9080400@infracaninophile.co.uk>
Date: Fri, 24 Feb 2012 09:34:02 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>
In-Reply-To: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>
X-Enigmail-Version: 1.3.5
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enigB7F81C226EEEF35A9897EE2F"
X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Subject: Re: negative group permissions?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 09:34:08 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB7F81C226EEEF35A9897EE2F
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 24/02/2012 09:08, Anton Shterenlikht wrote:
> Recently I started seeing this line
> in daily security output:
>=20
>   Checking negative group permissions:
>   70834 -rw-r----x  1 root  daemon  4 Feb 21 12:54:02 2012 /var/spool/o=
utput/lpd/.seq
>=20
> I've a parallel printer attached to
> a 9.9-CURRENT #2 r230787M box.
>=20
> What does it mean?

This means that non-root users in group daemon have only read
permissions on that file.  Users that aren't root and that aren't in
group daemon have execute permission only.

It does look a bit odd, and I believe that file would just contain a job
number (IIRC -- haven't dealt much with lpd or lprng much recently)
so executing it doesn't really achieve anything.

This is the standard idiom to allow access for 'everyone, except members
of a particular group.'

One way you can get weird permissions is if you happen to use decimal
for permissions bitmaps rather than octal.  A umask of '77' is not the
same thing at all as a umask of '077'.  (It's effectively 0115, which
doesn't make much sense to me.)  Most shells nowadays will assume you
mean octal whether you include the leading zero or not: the same is not
true if you use umask(2) to set the mask programatically.  Ditto for
other places you can set permissions like open(2) with O_CREAT or mkdir(2=
).

> Should I be worried?

No more than a normal level of paranoia is indicated here.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enigB7F81C226EEEF35A9897EE2F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9HWYoACgkQ8Mjk52CukIzGPACdGQycjk07uzER+GJa8pJu8DPI
74UAoIc3D19Hhi6mzvaH/azHyBULcSAT
=CcL/
-----END PGP SIGNATURE-----

--------------enigB7F81C226EEEF35A9897EE2F--