Addition to previous email: Example: In terminal B I can still modify a files as follows: touch aaa echo "123" > aaa But when I do, vi aaa even in the same terminal, vi can't access the file aaa.
7. Mar 2018 14:14 by epsilon...@tutanota.com: > Sorry, it is very counter intuitive to me. > So what you say is this: if there is an open terminal before chmod 700, then > I can use that terminal to access "apple", but after I close terminal B, > there is no way to access that apple directory? Neither with a shall window, > nor with another software? > In some cases this may lead to serious security issues, doesn't it? > Let me ask this specific question: is there any way to access apple, other > than the already open terminal B? If not, then it is ok, but there is any way > to access apple, then I have to do recursive chown and chmod to make sure > nobody can access anything below /opt/experiment. > > 7. Mar 2018 14:06 by > to...@tuxteam.de> : > > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On Wed, Mar 07, 2018 at 11:54:43AM +0100, >> epsilon...@tutanota.com>> >> wrote: >>> 7. Mar 2018 11:27 by >>> to...@tuxteam.de>>> : >>> >>> > I can't reproduce, either. Once the chown to root happens, non-root >>> > user can't touch files in directory. Ext4. >>> >>> I double checked. Sorry the previous example was not good. To reproduce the >>> issue, you have to create another directory inside the top one. Here is a >>> working example: >>> >>> # terminal A >>> >>> su >>> >>> mkdir /opt/experiment/ >>> >>> chown aristo:aristo /opt/experiment >>> >>> mkdir /opt/experiment/apple >>> >>> chown aristo:aristo /opt/experiment/apple >>> >>> # terminal B, >>> >>> whoami # aristo >>> >>> cd /opt/experiment/apple >>> >>> touch aaa # OK >> >> So far so good. Not surprising, IMO. >> >>> # terminal A >>> >>> chown root:root /opt/experiment >>> >>> chmod 700 /opt/experiment >>> >>> >>> >>> >>> # terminal B >>> >>> pwd # Gives /opt/experiment/apple >>> >>> >>> touch bbb # OK bbb is created >> >> Also OK. Or is that surprising to you? Aristo has write permissions for >> apple. >> >>> cd /opt/experiment/apple # Gives permission denied >> >> That's also OK. While aristo has permissions for apple (x is relevant >> here), it hasn't for experiment, so it can't "traverse" it. >> >>> # new terminal C >>> >>> cd /opt/experiment/apple # Denied >>> >>> touch /opt/experiment/apple/ccc # Denied >> >> Same as above: the resolution of the whole path requires traversing >> each path's element in turn, and it fails at "experiment". There's >> even a man page for that: see "man path_resolution" (part of the >> manpages package). >> >>> Note that, after chmod 700, in terminal B you can still create files, >>> although you cannot cd into apple. >> >> Yes, it is supposed to work like that. >> >> Cheers >> - -- tomás >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.12 (GNU/Linux) >> >> iEYEARECAAYFAlqfx8YACgkQBcgs9XrR2kYdEQCdFdtZP3/AlpzwuUtWJSu8T9V3 >> fb4An3WxROamXckNGTdH8FRaO9H1IFfo >> =MbqQ >> -----END PGP SIGNATURE-----