-----BEGIN PGP SIGNED MESSAGE-----
On Wed, Mar 07, 2018 at 12:14:10PM +0100, epsilon...@tutanota.com wrote:
> Sorry, it is very counter intuitive to me.
> So what you say is this: if there is an open terminal before chmod 700,
> then I can use that terminal to access "apple", but after I close terminal
> B, there is no way to access that apple directory?
No. The decisive point is that the first shell has access to the
subdirectory "apple" (via its "current working directory"), while
a new shell can't resolve the whole path "/opt/experiment/apple",
because it will fail at the step "experiment".
> Neither with a shall window, nor with another software?
Any software shares the shell's limitations; after all, it
has to invoke the operating system's services: if it wants to
access this directory by traversing the path -- that's it.
> In some cases this may lead to serious security issues, doesn't it?
Can you make up an example?
> Let me ask this specific question: is there any way to access apple, other
> than the already open terminal B? If not, then it is ok, but there is any way
> to access apple, then I have to do recursive chown and chmod to make sure
> nobody can access anything below /opt/experiment.
The "terminal" is unimportant here. It's the process doing the
access (in your concrete case it's the shell running in the
terminal): it it has already access to the directory in question
(e.g. by an open file descriptor, which it has, courtesy of the
"current working directory"), then just that directory's permission
apply. If you want to travel the whole way down (e.g. in the case
of "open", when provided with a full path), all the intermediate
directories play a role.
Read the manpage. Very instructive.
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----