sticky bits, owner, - Security

This is a discussion on sticky bits, owner, - Security ; Hi all, have the following setup: - two groups zope and users - an user zope in group zope - an user a in group users (main group) and in group zope - an user b in group users (main ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: sticky bits, owner,

  1. sticky bits, owner,


    Hi all,

    have the following setup:

    - two groups zope and users
    - an user zope in group zope
    - an user a in group users (main group) and in group zope
    - an user b in group users (main group) and in group zope

    A directory /var/lib/zope has following permissions:

    drwxrwsr-x zope zope /var/lib/zope

    So it is writable by all users in group zope, and a files
    created here will also be owned by group zope.

    When user b creates a file here, it will get the following
    permissions:

    -rw-r--r-- b zope /var/lib/zope/a_file


    As a result, user a will not be able to modify this file.

    How can I achieve this?


    Some things I already have thought of:

    1) A possible solution would be to automatically set the
    g+w bit to newly created files. Is there any such mechanism
    (like the +s bit for automatically setting the group)?

    2) Another solution would be to automatically set the owner
    of the file to "zope" instead of "b". But this does not
    work (at least not by simply setting the u+s bit on the
    directory).
    And even *if* this worked, user b could not edit this file
    afterwards, because the g+w bit is still now set...

    I explicitly do not want to set umask for users a and/or b
    to something like 0002...

    Any hints?
    Thanks and regards
    -stefan-


  2. Re: sticky bits, owner,

    I demand that Stefan Palme may or may not have written...

    > [I] have the following setup:


    > - two groups zope and users
    > - an user zope in group zope
    > - an user a in group users (main group) and in group zope
    > - an user b in group users (main group) and in group zope


    > A directory /var/lib/zope has following permissions:


    > drwxrwsr-x zope zope /var/lib/zope


    > So it is writable by all users in group zope, and a files created here will
    > also be owned by group zope.


    > When user b creates a file here, it will get the following permissions:
    > -rw-r--r-- b zope /var/lib/zope/a_file


    > As a result, user a will not be able to modify this file.


    > How can I achieve this?

    [snip]

    setfacl.

    Setting the default ACLs for that directory and all subdirectories should be
    sufficient:
    # setfacl -R --set d:g::rwx /var/lib/zope

    (If not done as root, you won't be able to set the ACLs for files owned by
    others.)

    This overrides the umask setting, effectively enforcing 0002 for
    newly-created objects ("getfacl /var/lib/zope" to see why); and the ACLs are
    propagated to newly-created subdirectories.

    --
    | Darren Salt | linux or ds at | nr. Ashington, | Toon
    | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
    | + At least 4000 million too many people. POPULATION LEVEL IS UNSUSTAINABLE.

    The hand that kindles cannot quench the flame.

  3. Re: sticky bits, owner,

    On Mon, 05 Nov 2007 14:51:56 +0000, Darren Salt wrote:

    > I demand that Stefan Palme may or may not have written...
    > [snip]
    >
    > setfacl.
    >
    > Setting the default ACLs for that directory and all subdirectories should be
    > sufficient:
    > # setfacl -R --set d:g::rwx /var/lib/zope
    >
    > (If not done as root, you won't be able to set the ACLs for files owned by
    > others.)
    >
    > This overrides the umask setting, effectively enforcing 0002 for
    > newly-created objects ("getfacl /var/lib/zope" to see why); and the ACLs are
    > propagated to newly-created subdirectories.


    Thanks, this is probably exactly what I am searching for.

    Currently "getfacl /var/lib/zope" gives me:
    user::rwx
    group::rwx
    other::r-x

    But I guess, this happens, because I don't have support for ACLs
    in my running kernel (according to the setfacl man page in this case
    simply the "normal" permission bits will be used).

    Is it a problem to simply recompile the kernel with ACL support enabled?
    Or do I have to re-create the filesystem in the next step?

    Thanks and regards
    -stefan-


  4. Re: sticky bits, owner,

    Stefan Palme wrote:
    > On Mon, 05 Nov 2007 14:51:56 +0000, Darren Salt wrote:
    >
    >> I demand that Stefan Palme may or may not have written...
    >> [snip]
    >>
    >> setfacl.
    >>
    >> Setting the default ACLs for that directory and all subdirectories should be
    >> sufficient:
    >> # setfacl -R --set d:g::rwx /var/lib/zope
    >>
    >> (If not done as root, you won't be able to set the ACLs for files owned by
    >> others.)
    >>
    >> This overrides the umask setting, effectively enforcing 0002 for
    >> newly-created objects ("getfacl /var/lib/zope" to see why); and the ACLs are
    >> propagated to newly-created subdirectories.

    >
    > Thanks, this is probably exactly what I am searching for.
    >
    > Currently "getfacl /var/lib/zope" gives me:
    > user::rwx
    > group::rwx
    > other::r-x
    >
    > But I guess, this happens, because I don't have support for ACLs
    > in my running kernel (according to the setfacl man page in this case
    > simply the "normal" permission bits will be used).
    >
    > Is it a problem to simply recompile the kernel with ACL support enabled?
    > Or do I have to re-create the filesystem in the next step?
    >
    > Thanks and regards
    > -stefan-
    >


    You just need to mount the filesystem with the "acl" mount option:
    # mount -o remount,acl

    Also, you probably want to use this instead:

    # setfacl -R --set d:g::rwX /var/lib/zope

    (note the capital 'X').

    -Wayne

  5. Re: sticky bits, owner,

    In newsan.2007.11.05.12.12.22.982326@hora-obscura.de,
    Stefan Palme wrote:

    > drwxrwsr-x zope zope /var/lib/zope


    That is NOT a "sticky bit"; that is an sgid bit. A sticky bit would be set
    via "chmod +t /var/lib/zope":

    drwxrwsr-t zope zope /var/lib/zope


  6. Re: sticky bits, owner,

    I demand that Stefan Palme may or may not have written...

    > On Mon, 05 Nov 2007 14:51:56 +0000, Darren Salt wrote:

    [snip; how to enforce group write permissions?]
    >> setfacl.


    >> Setting the default ACLs for that directory and all subdirectories should
    >> be sufficient:
    >> # setfacl -R --set d:g::rwx /var/lib/zope

    [snip]

    > Thanks, this is probably exactly what I am searching for.


    > Currently "getfacl /var/lib/zope" gives me:
    > user::rwx
    > group::rwx
    > other::r-x


    Those would be the default ACL entries. You can use chmod to alter them; see
    acl(5).

    [snip]
    > Is it a problem to simply recompile the kernel with ACL support enabled?


    I've just done so on my laptop; no problems.

    > Or do I have to re-create the filesystem in the next step?


    No, but you should make sure that the ACL mount option is enabled for every
    partition on which you want ACL support. You can do this by adding "acl" as a
    mount option to the appropriate entries in /etc/fstab or by setting it in the
    appropriate superblocks ("tune2fs -o acl /dev/foo" for ext2 or ext3; you'll
    want this for the root fs!); and you can do it on-the-fly by using "mount
    /bar -o remount,acl".

    --
    | Darren Salt | linux or ds at | nr. Ashington, | Toon
    | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
    | + Output less CO2 => avoid boiling weather. TIME IS RUNNING OUT *FAST*.

    Bad filename, 0:1

+ Reply to Thread