Date: Fri, 24 Feb 2012 12:54:30 +0000 From: Anton Shterenlikht <mexas@bristol.ac.uk> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: negative group permissions? Message-ID: <20120224125430.GB8026@mech-cluster241.men.bris.ac.uk> In-Reply-To: <4F47598A.9080400@infracaninophile.co.uk> References: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk> <4F47598A.9080400@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 24, 2012 at 09:34:02AM +0000, Matthew Seaman wrote: > On 24/02/2012 09:08, Anton Shterenlikht wrote: > > Recently I started seeing this line > > in daily security output: > > > > Checking negative group permissions: > > 70834 -rw-r----x 1 root daemon 4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq > > > > I've a parallel printer attached to > > a 9.9-CURRENT #2 r230787M box. > > > > What does it mean? > > This means that non-root users in group daemon have only read > permissions on that file. Users that aren't root and that aren't in > group daemon have execute permission only. > > It does look a bit odd, and I believe that file would just contain a job > number (IIRC -- haven't dealt much with lpd or lprng much recently) > so executing it doesn't really achieve anything. > > This is the standard idiom to allow access for 'everyone, except members > of a particular group.' yes, I get this. > One way you can get weird permissions is if you happen to use decimal > for permissions bitmaps rather than octal. A umask of '77' is not the > same thing at all as a umask of '077'. (It's effectively 0115, which > doesn't make much sense to me.) Most shells nowadays will assume you > mean octal whether you include the leading zero or not: the same is not > true if you use umask(2) to set the mask programatically. Ditto for > other places you can set permissions like open(2) with O_CREAT or mkdir(2). # umask 0022 # pwd /var/spool/output/lpd # ls -al total 8 drwxr-xr-x 2 root daemon 512 Feb 24 12:43 . drwxr-xr-x 3 root daemon 512 Mar 9 2010 .. -rw-rw-r-- 1 root daemon 41 Feb 21 12:54 lock -rw-rw-r-- 1 root daemon 25 Feb 21 12:54 status # Then I print something: % pwd | lpr Then this .seq file appears with weird permissions: # ls -al total 10 drwxr-xr-x 2 root daemon 512 Feb 24 12:46 . drwxr-xr-x 3 root daemon 512 Mar 9 2010 .. -rw-r----x 1 root daemon 4 Feb 24 12:45 .seq -rw-rw-r-- 1 root daemon 41 Feb 24 12:45 lock -rw-rw-r-- 1 root daemon 25 Feb 24 12:45 status # # cat .seq 001 # So presumably lpd(8) created this file, but I'm still unsure why permissions are so strange. But interests me more, is why I didn't see it until about 1-2 months ago? Has something chaged in -current, e.g. in open(2) like you suggest? Or has I messed up with my setup? Or maybe it was always like this, but the security check didn't pick it up? > > > Should I be worried? > > No more than a normal level of paranoia is indicated here. Thanks -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120224125430.GB8026>