From owner-freebsd-current@FreeBSD.ORG Wed Feb 29 16:41:29 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FB0A1065709 for ; Wed, 29 Feb 2012 16:41:29 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 24F258FC18 for ; Wed, 29 Feb 2012 16:41:28 +0000 (UTC) Received: by iahk25 with SMTP id k25so2561958iah.13 for ; Wed, 29 Feb 2012 08:41:28 -0800 (PST) Received-SPF: pass (google.com: domain of jhellenthal@dataix.net designates 10.42.162.194 as permitted sender) client-ip=10.42.162.194; Authentication-Results: mr.google.com; spf=pass (google.com: domain of jhellenthal@dataix.net designates 10.42.162.194 as permitted sender) smtp.mail=jhellenthal@dataix.net; dkim=pass header.i=jhellenthal@dataix.net Received: from mr.google.com ([10.42.162.194]) by 10.42.162.194 with SMTP id z2mr930860icx.37.1330533688631 (num_hops = 1); Wed, 29 Feb 2012 08:41:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=ohMGZjFPpWVsKoj8OsIsy6GsHs+mcHUD8YGJn1WrwEU=; b=GU6fQv6G6/ezFYuJHQq9VJULFJW5ZC65exe0p6X3W100OpJc/YvDMA5IGowz26Zlfu ZHZYHl+LPN7WnseGsKyZmnYc6y66KD9PQIGmgVm0xYvriZj9Wc3hTjBWKv9VrzkUalrU 6GFO7O4a/lWVvP6auf010fiUOUPzV+AW00fYU= Received: by 10.42.162.194 with SMTP id z2mr759299icx.37.1330533688479; Wed, 29 Feb 2012 08:41:28 -0800 (PST) Received: from DataIX.net (adsl-99-181-159-39.dsl.klmzmi.sbcglobal.net. [99.181.159.39]) by mx.google.com with ESMTPS id bi6sm15417643igc.3.2012.02.29.08.41.27 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 29 Feb 2012 08:41:27 -0800 (PST) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q1TGfHft006410 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 29 Feb 2012 11:41:17 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Received: (from jhellenthal@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q1TGfFs5088381; Wed, 29 Feb 2012 11:41:15 -0500 (EST) (envelope-from jhellenthal@DataIX.net) Date: Wed, 29 Feb 2012 11:41:15 -0500 From: Jason Hellenthal To: jb Message-ID: <20120229164115.GB64201@DataIX.net> References: <20120228092244.GB48977@mech-cluster241.men.bris.ac.uk> <20120228162447.GB58311@mech-cluster241.men.bris.ac.uk> <20120229072458.GA95427@DataIX.net> <20120229085716.GA66484@mech-cluster241.men.bris.ac.uk> <1330527621.1023.27.camel@revolution.hippie.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Gm-Message-State: ALoCoQkL6BEhX6nfEgN8GR+0cYG0RdSDa8q7wfGnTSPD2jGgkKKp5V1TmKvfWgUfjMvipAnaP5H/ Cc: freebsd-current@freebsd.org Subject: Re: negative group permissions? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Feb 2012 16:41:29 -0000 On Wed, Feb 29, 2012 at 04:18:45PM +0000, jb wrote: > Ian Lepore damnhippie.dyndns.org> writes: > > > ... > > It's not a > > directory or executable file in the first place, so making it executable > > for everyone except the owner and group is not some sort of subtle > > security trick, it's just meaningless. > > ... > > Is it meaningless ? > > Example: > # cat /var/spool/output/lpd/.seq > #! /usr/local/bin/bash > touch /tmp/jb-test-`echo $$` > > # ls -al /var/spool/output/lpd/.seq > -rw-r----x 1 root daemon 54 Feb 29 17:05 /var/spool/output/lpd/.seq > # /var/spool/output/lpd/.seq > # > # ls /tmp/jb* > /tmp/jb-test-61789 > > # chmod 0640 /var/spool/output/lpd/.seq > # ls -al /var/spool/output/lpd/.seq > -rw-r----- 1 root daemon 52 Feb 29 17:11 /var/spool/output/lpd/.seq > # /var/spool/output/lpd/.seq > su: /var/spool/output/lpd/.seq: Permission denied > # > Giving execute bit to others by security means to allow others to search for that file and find it. If its not there then the process created by current user will not be able to read the file since they are not part of the daemon group. I would assume that sometimes the contents of .seq was judged to be insecure for whatever reason but judged that a user should be able to still in a sense read the file without reading its contents. Negative perms are not harmful. I do suppose a 'daily_status_security_neggrpperm_dirs=' variable should be added here to control which directories are being scanned much like chknoid. -- ;s =;