[lug] File permissions & groups
Bear Giles
bgiles at coyotesong.com
Tue Mar 12 09:37:55 MST 2002
> -rws--x--- 1 root cdwrite 353084 Aug 8 2001 mkisofs
> -rws--x--- 1 root cdwrite 177852 Aug 8 2001 cdrecord
>
> I've just read a doc on file permissions and if I understand it
> correctly, having the SUID bit set should allow a regular user to run
> these programs. I've also tried adding myself, the regular user, to the
> cdwrite group, but I still can't run these commands. What am I missing?
These permissions are *weird*. Execute permission, but no read
permission?!
To allow access by members of the cdwrite group, the permissions should
be 04760 (-rwsr-x---). To allow access by anyone, the permissions
should be 04766 (-rwsr-xr-x).
However, I don't see much value in making either program SUID root.
cdrecord needs to be able to write to the CD writer, but that can be
better handled by making the program SGID and setting the CD writer
group to cdwrite. Or strip all SxID bits and make the users change
groups themselves.
mkisofs is a bit more complex. Do you really want to allow users to
make ISO9660 images of directories and files they don't have permission
to read? That's a *huge* security hole. (If you're using it for backups,
then set it up as a proper backup mechanism.) The only other "benefit"
is that you can write iso images anywhere. But again this is a huge
security hole for DOS purposes (e.g., "mkisofs -o /etc/shadow /") and
the problem is easily solved by setting o+rwx,u+t permissions on a large
cache directory.
Personally, I think you could (and should) avoid SUID permissions for
both programs. Just use 0766 permissions.
More information about the LUG
mailing list