Linux file permissions - Help

This is a discussion on Linux file permissions - Help ; Some interesting questions about the Linux FS @ "http://www.fedoraforum.org/forum/showthread.php?p=215558". Can someone help out with some answers?...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Linux file permissions

  1. Linux file permissions

    Some interesting questions about the Linux FS @
    "http://www.fedoraforum.org/forum/showthread.php?p=215558".

    Can someone help out with some answers?


  2. Re: Linux file permissions

    sergeroz wrote:
    > Some interesting questions about the Linux FS @
    > "http://www.fedoraforum.org/forum/showthread.php?p=215558".
    >
    > Can someone help out with some answers?


    Do you want _all_ the questions raised in that thread answered?

    Let's start with the one you raised at the top of that Web-forum thread:

    > What is the purpose and/or effectiveness of EXECUTE permission in
    > Linux?


    It's not intended as a security measure, if that's what you're thinking
    -- except in the sense of ensuring that the indicated class of user
    (user, group, world) is signalled thereby that the file is intended to
    be an executable as opposed to a datafile.

    The latter consideration is important, with, for example, e-mail clients
    (MUAs = Mail User Agents): It's a settled tradition, that _no_ Unix
    MUA violates, that received attachments, regardless of what the mail
    claims them to be, never get saved with the executable bit set -- as a
    further hurdle to the user accidentally executing something received in
    the mail, prior to deciding he/she can trust it. This leads to the
    traditional joke about "Unix honour-system viruses" that come with
    attached instructions like the following:

    Hi, please find attached a binary executable. Immediately upon
    receipt, please do the following:

    1. Save the file as "fnord" to /tmp
    2. In a terminal window, do "chmod u+x /tmp/fnord".
    3. Then, do "su -".
    4. Then, do "/tmp/fnord". Thank you!



    > As I understand it, if a LAN user has read access to a file (no
    > execute) then couldn't he just copy the contents of that file into his
    > home folder make this file executable and run it?


    Obviously, if someone can read the bitstream of a file, then he can
    snage that bitstream in any of a number of ways, create a new file
    containing those bits, and execute it. So, if you want people to
    absolutely not be able to execute a file, you must make sure they
    cannot read it.

    > So basically, is it not very safe to rely on restricting execution of
    > files, unless you can deny execute permissions everywhere else on the
    > system (so that you can't just copy file contents)?


    If you can read a file, then you can inherently copy it to _somewhere_,
    if only to a file on some other machine across a network. If you don't
    want a user to execute it, therefore, you must make sure he cannot read
    it.

    > "kosmosik" mentioned above that there's a way to imlement an ACL on
    > the EXT fs. How can this be done ?


    He might have been thinking of POSIX ACLs. They're still a pain in the
    ass to administer. Are you sure you're solving the right problem? Most
    of the time, if people start talking about filesystem ACLs, they're
    attacking the wrong problem.

    SELinux implements a slightly different type of ACL, though, by default
    Fedora has an implementation limited to just a few critical processes.

    --
    Cheers,
    Rick Moen Magnus frater spectat te.
    rick@linuxmafia.com

+ Reply to Thread