Reputation: 3967
How can UNIX access control create compromise problems?
My system administrators advice me to be careful when setting access control to files and directories. He gave me an example and I got confused, here it is: a file with protection mode 644 (octal) contained in a directory with protection mode 730. so it means:
- File: 110 100 100 (owner, group, other: rw- r-- r--)
- Directory: 111 011 000 (owner, group, other: rwx -wx ---)
How can file be compromised in this case?
Upvotes: 2
Views: 4975
Answers (2)
Reputation: 754520
It depends on what you mean by 'compromise' and it depends on who belongs to the group.
The directory permissions are critical. Since members of the group can access the directory ('x') and can modify the directory ('w'), even though they cannot list the directory (no 'r'), it means that if a member of the group knows the name of the file, that person can also remove it because removing a file requires permission to write to the directory - the file permissions are immaterial (even though commands such as 'rm' let you know when you don't have write permission on the file, that is a courtesy, because it doesn't matter to the 'unlink()' system call).
So, a member of your group (or, more precisely, a member of the group to which the directory belongs) can remove the file if they know its name. They can also read the file if they know its name, and they can create a file of the same name if the original is already missing. It appears from the file permissions that being able to read the file is not compromise - you would have denied group read access (and public read access) if that mattered.
Note that although your group members cannot modify the file, because they can delete the file and create a new one with the same name, the result is basically the same as being able to modify the file. One key difference is that you'd know which user did the mischief because that user would own the file. (Well, someone with access to that user ID did the mischief.)
Upvotes: 9
Reputation: 67790
Since the directory can be written to, the file could simply be overwritten with another if the attacker is in the directory owner's group.
Upvotes: 1
Related Questions
- access() Security Hole
- Why can't files be manipulated by inode?
- Does the Posix "access" syscall take ACLs into consideration?
- Linux: Unexpected rights during execution
- Mandatory Locking in Unix
- Why does access(2) check for real and not effective UID?
- What Really Protects File Priveleges?
- A buffer overflow attack on Windows results in access violation
- access(2) system call security issue
- Loose directory/file permissions: pitfalls, security issues?