From owner-freebsd-stable@FreeBSD.ORG Sun Dec 23 16:49:26 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AD18B4CC for ; Sun, 23 Dec 2012 16:49:26 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-ie0-f174.google.com (mail-ie0-f174.google.com [209.85.223.174]) by mx1.freebsd.org (Postfix) with ESMTP id 6F4398FC0C for ; Sun, 23 Dec 2012 16:49:26 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id c11so8077532ieb.5 for ; Sun, 23 Dec 2012 08:49:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=WkmWRayekQXpPYVknFG01Cks880Xr1EqK7ZM6qj5dd0=; b=tbCUmRhieotaRGFFVZfbZtpsaf0B2EwGRV2VtYKasJ5mNWp8oeqqNVd0RDtJ0dphFI yEdgFxSc7Afst6HIRUWGpb9mpRHhvPllR/InDmjR3Q62ha9w5+2bqVluPTbTeHSwNlsg aZ+xRajXecdViUrNYNr2KGi2Mvz5w1I7+K8goGU6GTkI2uRKccstPY81khs8+CNgnHfL eUtK5jHs1uTuGADOE4mhQwTIPlEyPW6LgwthhFNf9OdsVNaPTFAqjejwS30AfaxYAENh BJio0iqExvju28sIdcm5yqr7O8alkGx+hkAWVaENL37H1uT6X8F65ZsCvKXzYrEp8cnf QQCw== Received: by 10.50.40.137 with SMTP id x9mr18708701igk.1.1356281360007; Sun, 23 Dec 2012 08:49:20 -0800 (PST) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.64.65.132 with HTTP; Sun, 23 Dec 2012 08:48:48 -0800 (PST) In-Reply-To: <20121223162332.GA38788@pit.databus.com> References: <201212230805.qBN850Pj083122@narawntapu.narawntapu> <50D7287C.7020802@aldan.algebra.com> <20121223162332.GA38788@pit.databus.com> From: Chris Rees Date: Sun, 23 Dec 2012 16:48:48 +0000 X-Google-Sender-Auth: tcwph74TcpS2F4FowsbxIylkafE Message-ID: Subject: Re: What is "negative group permissions"? (Re: narawntapu security run output) To: Barney Wolff Content-Type: text/plain; charset=ISO-8859-1 Cc: "Mikhail T." , stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Dec 2012 16:49:26 -0000 On 23 December 2012 16:23, Barney Wolff wrote: [moving Barney's top post down] > On Sun, Dec 23, 2012 at 10:51:24AM -0500, Mikhail T. wrote: >> On 23.12.2012 03:05, Charlie Root wrote: >> > Checking negative group permissions: >> > 8903027 -rw--w-r-- 1 mi www 794277 Oct 23 07:47:45 2007 /home/mi/public_html/syb/order/download.log >> Hello! >> >> The above started to appear in the daily security run output after I >> upgraded to 9.1. I don't understand, what this check is doing or why the >> above file is reported -- what's abnormal (warning-worthy) about >> allowing the web-server to write to, but not read a file? I did it on >> purpose to keep all files associated with a project together, but >> without inadvertently serving some of them... > > The r for other means that you have not accomplished your goal. It makes > no sense to have group with less permission that other, so the script is > warning of a misconfiguration. Not at all; anything in www group can't read the file, which is what Mikhail wants to do. If he has thought about the consequences of exactly what this means; i.e. normal users can read-only, www group can write-only, mi can read/write, then he can ignore the warning. Negative group permissions are sometimes useful, that's why they're allowed. >> I understand, I can explicitly disable it, but I'm curious... Whether it >> should run by default or not, what is the purpose of it? They involve a lot of thought to get right, as well as chmod g-w on something where you probably meant chmod go-w is a disastrous but (perhaps) common error. Chris