From owner-freebsd-questions@FreeBSD.ORG Mon Sep 23 11:51:54 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7015EFCA for ; Mon, 23 Sep 2013 11:51:54 +0000 (UTC) (envelope-from frank2@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E89252601 for ; Mon, 23 Sep 2013 11:51:53 +0000 (UTC) Received: from [192.168.1.35] (mux.fjl.org.uk [62.3.120.246]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id r8NBpoY5076548 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO) for ; Mon, 23 Sep 2013 12:51:51 +0100 (BST) (envelope-from frank2@fjl.co.uk) Message-ID: <52402B58.5010505@fjl.co.uk> Date: Mon, 23 Sep 2013 12:51:52 +0100 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: What is Negative permissions References: <52401DDF.9080502@eskk.nu> In-Reply-To: <52401DDF.9080502@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Sep 2013 11:51:54 -0000 On 23/09/2013 11:54, Leslie Jensen wrote: > > In the daily security run I see the following: > > > > Checking setuid files and devices: > > Checking negative group permissions: > 3791965 -rwxr--r-x 1 admin wheel 172 Mar 9 10:59:55 2011 > /usr/home/admin/bin/noip_update.sh > > > Is it just a reminder that the group has no x permissions or should I > give those permissions? Yes, basically. It's obviously very odd to give everyone OTHER than :wheel members permission to run it. What about user root in group wheel - is root allowed to run it? Actually, yes, even though you might think you've forbidden members of "wheel". Regards, Frank.