[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] RE: cobalt-developers digest, Vol 1 #1474 - 4 msgs

Subject: Re: [cobalt-developers] RE: cobalt-developers digest, Vol 1 #1474 - 4 msgs
From: Michael Stauber <devel@xxxxxxxxxxxxxx>
Date: Mon Jun 10 12:57:01 2002
Organization: SOLARSPEED.NET
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Hi Ian,

> No, fortunately this is not the case. Users are placed into groups based
> on their site (fred:site1, jill:site12 etc.). Although each user could
> see world-readable files (such as certain configs, some logs etc.), they
> would not be able to see files where permission has been granted only
> for a group they are not in. So fred, in my example, would be able to
> tell that a site12 existed but would not be able to see the files
> underneath that directory.

That's wrong, Ian. Let's run through this by example:

[cbank web]$ whoami
cbank
[cbank web]$ cat /etc/passwd|grep cbank
cbank:x:281:100:Carsten Bank:/home/sites/site19/users/cbank:/bin/bash

So user "cbank" belongs to group "site19". Note that we were able to get that 
information out of /etc/passwd which is a hillarious security breach to begin 
with. Permissions on /etc/passwd are usually improperly set when the 
OS-restore-CD has been used - like in this case here on that particular RaQ4.

Now note this:

[cbank web]$ pwd
/home/sites/site3/web
[cbank web]$ ls -la
total 2425
drwxrwsr-x   9 nobody   site3        1024 May 12 01:06 .
drwxrwsr-x   7 nobody   site3        1024 Mar 19 01:18 ..
-rw-r--r--   1 powercat site3         761 Jun  8 00:52 .htaccess
drwxr-sr-x   4 powercat site3        1024 Apr 21 23:08 Teacat
-rw-r--r--   1 powercat site3       11195 Jan 22 23:29 banner1.gif
-rw-r--r--   1 powercat site3        2238 Feb 15 23:08 favicon.ico
drwxr-xr-x  10 powercat site3        1024 Apr  4 17:31 forum
drwxr-xr-x   6 powercat site3        1024 Nov  6  2001 forum144
drwxr-xr-x   2 powercat site3        1024 Feb  1 23:20 help
-rw-r--r--   1 powercat site3        4644 Apr 21 23:18 index.html
drwxr-sr-x  11 powercat site3        6144 May 24 01:38 karten
-rw-rw-rw-   1 powercat site3         928 Apr  5  2001 metatag.inc
drwxr-xr-x   4 powercat site3        1024 Jan 22 18:46 poll
-rwxr--r--   1 powercat site3         255 Apr  5  2001 robots.txt
-rw-r--r--   1 powercat site3        1088 May  5 23:30 spiritflower.htm
drwxr-xr-x   2 powercat site3        3072 Mar 19 21:47 stats
-rw-r--r--   1 powercat site3       10984 Sep  9  2001 teacatgb.gif
-rw-r--r--   1 powercat site3        5055 Jan 22 19:23 umfrage.htm

So even though user "cbank" doesn't belong to site3 he can browse the /web 
directory of this site. And as the permissions are in the above case he has 
read access to all files there.

> Depends on the file permission. If the order file is created with
> world-readable permission, then the answer is yes. More likely though,
> the file would be created with group-only readable permissions which
> makes the answer no.

Group ID on the /web directories is set upon execution. The /web directories 
usually have the octal mode 42775 which explicitly lets anyone read and 
execute files within the /web directory of that site.

-- 

Mit freundlichen Grüßen / With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

References:
- [cobalt-developers] RE: cobalt-developers digest, Vol 1 #1474 - 4 msgs
  - From: Ian McCall

Prev by Date: [cobalt-developers] RE: cobalt-developers digest, Vol 1 #1474 - 4 msgs
Next by Date: Re: [cobalt-developers] Is it safe to give a client Telnet access?
Previous by thread: [cobalt-developers] RE: cobalt-developers digest, Vol 1 #1474 - 4 msgs
Next by thread: [cobalt-developers] RE: file permissions

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index