Date: Fri, 24 Feb 2012 14:41:44 +0100 (CET) From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no> To: Anton Shterenlikht <mexas@bristol.ac.uk> Cc: FreeBSD questions <freebsd-questions@freebsd.org> Subject: Re: negative group permissions? Message-ID: <alpine.BSF.2.00.1202241433110.47275@mail.fig.ol.no> In-Reply-To: <20120224125430.GB8026@mech-cluster241.men.bris.ac.uk> References: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk> <4F47598A.9080400@infracaninophile.co.uk> <20120224125430.GB8026@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --2055831798-1676597965-1330090904=:47275 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Fri, 24 Feb 2012 12:54-0000, Anton Shterenlikht wrote: > On Fri, Feb 24, 2012 at 09:34:02AM +0000, Matthew Seaman wrote: > > On 24/02/2012 09:08, Anton Shterenlikht wrote: > > > Recently I started seeing this line > > > in daily security output: > > > > > > Checking negative group permissions: > > > 70834 -rw-r----x 1 root daemon 4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq > > > > > > I've a parallel printer attached to > > > a 9.9-CURRENT #2 r230787M box. > > > > > > What does it mean? > > > > This means that non-root users in group daemon have only read > > permissions on that file. Users that aren't root and that aren't in > > group daemon have execute permission only. > > > > It does look a bit odd, and I believe that file would just contain a job > > number (IIRC -- haven't dealt much with lpd or lprng much recently) > > so executing it doesn't really achieve anything. > > > > This is the standard idiom to allow access for 'everyone, except members > > of a particular group.' > > yes, I get this. > > > > One way you can get weird permissions is if you happen to use decimal > > for permissions bitmaps rather than octal. A umask of '77' is not the > > same thing at all as a umask of '077'. (It's effectively 0115, which > > doesn't make much sense to me.) Most shells nowadays will assume you > > mean octal whether you include the leading zero or not: the same is not > > true if you use umask(2) to set the mask programatically. Ditto for > > other places you can set permissions like open(2) with O_CREAT or mkdir(2). > > # umask > 0022 > # pwd > /var/spool/output/lpd > # ls -al > total 8 > drwxr-xr-x 2 root daemon 512 Feb 24 12:43 . > drwxr-xr-x 3 root daemon 512 Mar 9 2010 .. > -rw-rw-r-- 1 root daemon 41 Feb 21 12:54 lock > -rw-rw-r-- 1 root daemon 25 Feb 21 12:54 status > # > > Then I print something: > > % pwd | lpr > > Then this .seq file appears with weird permissions: > > # ls -al > total 10 > drwxr-xr-x 2 root daemon 512 Feb 24 12:46 . > drwxr-xr-x 3 root daemon 512 Mar 9 2010 .. > -rw-r----x 1 root daemon 4 Feb 24 12:45 .seq > -rw-rw-r-- 1 root daemon 41 Feb 24 12:45 lock > -rw-rw-r-- 1 root daemon 25 Feb 24 12:45 status > # > > # cat .seq > 001 > # > > So presumably lpd(8) created this file, but I'm still > unsure why permissions are so strange. But interests > me more, is why I didn't see it until about 1-2 months > ago? Has something chaged in -current, e.g. in open(2) > like you suggest? Or has I messed up with my setup? > Or maybe it was always like this, but the security > check didn't pick it up? > > > > > > Should I be worried? > > > > No more than a normal level of paranoia is indicated here. Looking at usr.sbin/lpr/lpr/lpr.c at around line 847 (RELENG_9): (void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir); seteuid(euid); if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) { printf("%s: cannot create %s\n", progname, buf); exit(1); } if (flock(fd, LOCK_EX)) { printf("%s: cannot lock %s\n", progname, buf); exit(1); } It remains a mystery why these files are created with mode 0661. Mode 0660 should be more than sufficient. Maybe it's because of flock(2), but the manpage for flock(2) does not mention the execute bit at all. The lpc enable/disable commands seem to affect only the group execute bit of the lock file. I haven't found any other source files where .seq files are created or being used. Feel free to prove me wrong. :D -- +-------------------------------+------------------------------------+ | Vennlig hilsen, | Best regards, | | Trond Endrestøl, | Trond Endrestøl, | | IT-ansvarlig, | System administrator, | | Fagskolen Innlandet, | Gjøvik Technical College, Norway, | | tlf. dir. 61 14 54 39, | Office.....: +47 61 14 54 39, | | tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, | | sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. | +-------------------------------+------------------------------------+ --2055831798-1676597965-1330090904=:47275--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1202241433110.47275>