On Tue, 2009-08-25 at 20:38 +0200, Florian Zumbiehl wrote: > Or in more general terms: Well, yeah, there probably are many userspace > configurations where such permissions would not be a wise thing to use. > But still, there probably are just as many cases that are perfectly > safe > No, there really isn't. Let's go back to basics of the UNIX security. model, and most importantly, how this is *interpreted* by applications. The model is one of "grant". That is to say, that to be able to perform any privileged action, you must be granted that privilege. Even your uid is a "grant" of privilege, it enables you to communicate and change other processes running under that same uid. Likewise a gid is a "grant" of privilege. Therefore there is an assumption that a newly created user, with a unique uid and gid not used anywhere, has effectively no privilege. This assumption is used in many places, but most notably when daemons and services run as a user of their own - or even the "nobody" user. Your example breaks this assertion. By giving a user or group *less* privilege than other users, you have effectively granted a privilege to "nobody" and secure users that genuine users *do not have*. Put simply, a mask should decrease in value when read from left to right - 755 is valid, 577 isn't. Giving a user or group less privilege than "anybody else" is easy to circumvent, because the basic assumption is that by changing user or adding a group you are *gaining* privilege. not dropping it - and thus by switching to a "nobody" user you are *dropping* privilege not gaining it. Scott -- Scott James Remnant scott@xxxxxxxxxxxxx -- To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
