Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Feb 2012 09:34:02 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@freebsd.org
Subject:   Re: negative group permissions?
Message-ID:  <4F47598A.9080400@infracaninophile.co.uk>
In-Reply-To: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>
References:  <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB7F81C226EEEF35A9897EE2F
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 24/02/2012 09:08, Anton Shterenlikht wrote:
> Recently I started seeing this line
> in daily security output:
>=20
>   Checking negative group permissions:
>   70834 -rw-r----x  1 root  daemon  4 Feb 21 12:54:02 2012 /var/spool/o=
utput/lpd/.seq
>=20
> I've a parallel printer attached to
> a 9.9-CURRENT #2 r230787M box.
>=20
> What does it mean?

This means that non-root users in group daemon have only read
permissions on that file.  Users that aren't root and that aren't in
group daemon have execute permission only.

It does look a bit odd, and I believe that file would just contain a job
number (IIRC -- haven't dealt much with lpd or lprng much recently)
so executing it doesn't really achieve anything.

This is the standard idiom to allow access for 'everyone, except members
of a particular group.'

One way you can get weird permissions is if you happen to use decimal
for permissions bitmaps rather than octal.  A umask of '77' is not the
same thing at all as a umask of '077'.  (It's effectively 0115, which
doesn't make much sense to me.)  Most shells nowadays will assume you
mean octal whether you include the leading zero or not: the same is not
true if you use umask(2) to set the mask programatically.  Ditto for
other places you can set permissions like open(2) with O_CREAT or mkdir(2=
).

> Should I be worried?

No more than a normal level of paranoia is indicated here.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enigB7F81C226EEEF35A9897EE2F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9HWYoACgkQ8Mjk52CukIzGPACdGQycjk07uzER+GJa8pJu8DPI
74UAoIc3D19Hhi6mzvaH/azHyBULcSAT
=CcL/
-----END PGP SIGNATURE-----

--------------enigB7F81C226EEEF35A9897EE2F--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F47598A.9080400>