Date: Fri, 24 Feb 2012 09:34:02 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@freebsd.org Subject: Re: negative group permissions? Message-ID: <4F47598A.9080400@infracaninophile.co.uk> In-Reply-To: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk> References: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB7F81C226EEEF35A9897EE2F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 24/02/2012 09:08, Anton Shterenlikht wrote: > Recently I started seeing this line > in daily security output: >=20 > Checking negative group permissions: > 70834 -rw-r----x 1 root daemon 4 Feb 21 12:54:02 2012 /var/spool/o= utput/lpd/.seq >=20 > I've a parallel printer attached to > a 9.9-CURRENT #2 r230787M box. >=20 > What does it mean? This means that non-root users in group daemon have only read permissions on that file. Users that aren't root and that aren't in group daemon have execute permission only. It does look a bit odd, and I believe that file would just contain a job number (IIRC -- haven't dealt much with lpd or lprng much recently) so executing it doesn't really achieve anything. This is the standard idiom to allow access for 'everyone, except members of a particular group.' One way you can get weird permissions is if you happen to use decimal for permissions bitmaps rather than octal. A umask of '77' is not the same thing at all as a umask of '077'. (It's effectively 0115, which doesn't make much sense to me.) Most shells nowadays will assume you mean octal whether you include the leading zero or not: the same is not true if you use umask(2) to set the mask programatically. Ditto for other places you can set permissions like open(2) with O_CREAT or mkdir(2= ). > Should I be worried? No more than a normal level of paranoia is indicated here. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigB7F81C226EEEF35A9897EE2F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9HWYoACgkQ8Mjk52CukIzGPACdGQycjk07uzER+GJa8pJu8DPI 74UAoIc3D19Hhi6mzvaH/azHyBULcSAT =CcL/ -----END PGP SIGNATURE----- --------------enigB7F81C226EEEF35A9897EE2F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4F47598A.9080400>