Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 23 Dec 2012 16:48:48 +0000
From:      Chris Rees <crees@FreeBSD.org>
To:        Barney Wolff <barney@databus.com>
Cc:        "Mikhail T." <mi+thun@aldan.algebra.com>, stable@freebsd.org
Subject:   Re: What is "negative group permissions"? (Re: narawntapu security run output)
Message-ID:  <CADLo83-iEdD8C=K7qc6_V4CUA=edcOD91Ywz1Tb286wiMyQJLw@mail.gmail.com>
In-Reply-To: <20121223162332.GA38788@pit.databus.com>
References:  <201212230805.qBN850Pj083122@narawntapu.narawntapu> <50D7287C.7020802@aldan.algebra.com> <20121223162332.GA38788@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 23 December 2012 16:23, Barney Wolff <barney@databus.com> wrote:

[moving Barney's top post down]

> On Sun, Dec 23, 2012 at 10:51:24AM -0500, Mikhail T. wrote:
>> On 23.12.2012 03:05, Charlie Root wrote:
>> > Checking negative group permissions:
>> >   8903027 -rw--w-r--  1 mi    www    794277 Oct 23 07:47:45 2007 /home/mi/public_html/syb/order/download.log
>> Hello!
>>
>> The above started to appear in the daily security run output after I
>> upgraded to 9.1. I don't understand, what this check is doing or why the
>> above file is reported -- what's abnormal (warning-worthy) about
>> allowing the web-server to write to, but not read a file? I did it on
>> purpose to keep all files associated with a project together, but
>> without inadvertently serving some of them...
>
> The r for other means that you have not accomplished your goal.  It makes
> no sense to have group with less permission that other, so the script is
> warning of a misconfiguration.

Not at all; anything in www group can't read the file, which is what
Mikhail wants to do.

If he has thought about the consequences of exactly what this means;
i.e. normal users can read-only, www group can write-only, mi can
read/write, then he can ignore the warning.

Negative group permissions are sometimes useful, that's why they're allowed.

>> I understand, I can explicitly disable it, but I'm curious... Whether it
>> should run by default or not, what is the purpose of it?

They involve a lot of thought to get right, as well as chmod g-w on
something where you probably meant chmod go-w is a disastrous but
(perhaps) common error.

Chris

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo83-iEdD8C=K7qc6_V4CUA=edcOD91Ywz1Tb286wiMyQJLw>