Linux file permissions - Help
This is a discussion on Linux file permissions - Help ; Some interesting questions about the Linux FS @
Can someone help out with some answers?...
Linux file permissions
Some interesting questions about the Linux FS @
Can someone help out with some answers?
Re: Linux file permissions
> Some interesting questions about the Linux FS @
> Can someone help out with some answers?
Do you want _all_ the questions raised in that thread answered?
Let's start with the one you raised at the top of that Web-forum thread:
> What is the purpose and/or effectiveness of EXECUTE permission in
It's not intended as a security measure, if that's what you're thinking
-- except in the sense of ensuring that the indicated class of user
(user, group, world) is signalled thereby that the file is intended to
be an executable as opposed to a datafile.
The latter consideration is important, with, for example, e-mail clients
(MUAs = Mail User Agents): It's a settled tradition, that _no_ Unix
MUA violates, that received attachments, regardless of what the mail
claims them to be, never get saved with the executable bit set -- as a
further hurdle to the user accidentally executing something received in
the mail, prior to deciding he/she can trust it. This leads to the
traditional joke about "Unix honour-system viruses" that come with
attached instructions like the following:
Hi, please find attached a binary executable. Immediately upon
receipt, please do the following:
1. Save the file as "fnord" to /tmp
2. In a terminal window, do "chmod u+x /tmp/fnord".
3. Then, do "su -".
4. Then, do "/tmp/fnord". Thank you!
> As I understand it, if a LAN user has read access to a file (no
> execute) then couldn't he just copy the contents of that file into his
> home folder make this file executable and run it?
Obviously, if someone can read the bitstream of a file, then he can
snage that bitstream in any of a number of ways, create a new file
containing those bits, and execute it. So, if you want people to
absolutely not be able to execute a file, you must make sure they
cannot read it.
> So basically, is it not very safe to rely on restricting execution of
> files, unless you can deny execute permissions everywhere else on the
> system (so that you can't just copy file contents)?
If you can read a file, then you can inherently copy it to _somewhere_,
if only to a file on some other machine across a network. If you don't
want a user to execute it, therefore, you must make sure he cannot read
> "kosmosik" mentioned above that there's a way to imlement an ACL on
> the EXT fs. How can this be done ?
He might have been thinking of POSIX ACLs. They're still a pain in the
ass to administer. Are you sure you're solving the right problem? Most
of the time, if people start talking about filesystem ACLs, they're
attacking the wrong problem.
SELinux implements a slightly different type of ACL, though, by default
Fedora has an implementation limited to just a few critical processes.
Rick Moen Magnus frater spectat te.