Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 May 2005 15:44:04 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        Lewis Thompson <lewiz@compsoc.man.ac.uk>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: user owned groups
Message-ID:  <42826084.3090003@mac.com>
In-Reply-To: <20050511193111.GA94356@noisy.compsoc.man.ac.uk>
References:  <20050511165506.GC10213@asu.edu> <428242D7.6040103@mac.com> <20050511174702.GA23222@noisy.compsoc.man.ac.uk> <42824FFA.4080603@mac.com> <20050511185620.GA91019@noisy.compsoc.man.ac.uk> <428259DC.9050802@mac.com> <20050511193111.GA94356@noisy.compsoc.man.ac.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
Lewis Thompson wrote:
> On Wed, May 11, 2005 at 03:15:40PM -0400, Chuck Swiger wrote:
>>If you "mkdir private && chmod 700 private", any files created under 
>>private will be safely[1] hidden away from anyone else but you, regardless 
>>of their permissions or what your umask is.
> 
> Ah, okay.  A slightly bad example.  How about 0711 (now a home
> directory, say /home/lewiz).  I would like to have a public_html
> directory that is generally accessible.

Um.  Don't put stuff which you want to be private in a public_html directory.

> Since /home/lewiz is now executable is it not possible for somebody to
> do, say, cat /home/lewiz/.cshrc?  They know the file is there (but can't
> use ls to see it) so can access it.

Sure, modulo the permissions on .cshrc itself.  If you don't want them to, 
give that file 600 perms.  The Unix octal permissions bits work just fine for 
almost all reasonable cases, but no default is ever going to suit all possible 
variations of intent.

If you want to control access to something, set the access you want 
explicitly, do not hope that the system defaults will guess what you want. 
(DWIM is a horrible idea in general, and is an even worse idea for security.)

Anyway, if you do want to do something more complex, look to UFS2 and POSIX ACL's.

-- 
-Chuck



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42826084.3090003>