-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Mar 07, 2018 at 12:14:10PM +0100, epsilon...@tutanota.com wrote: > Sorry, it is very counter intuitive to me. > So what you say is this: if there is an open terminal before chmod 700, > then I can use that terminal to access "apple", but after I close terminal > B, there is no way to access that apple directory?
No. The decisive point is that the first shell has access to the subdirectory "apple" (via its "current working directory"), while a new shell can't resolve the whole path "/opt/experiment/apple", because it will fail at the step "experiment". > Neither with a shall window, nor with another software? Any software shares the shell's limitations; after all, it has to invoke the operating system's services: if it wants to access this directory by traversing the path -- that's it. > In some cases this may lead to serious security issues, doesn't it? Can you make up an example? > Let me ask this specific question: is there any way to access apple, other > than the already open terminal B? If not, then it is ok, but there is any way > to access apple, then I have to do recursive chown and chmod to make sure > nobody can access anything below /opt/experiment. The "terminal" is unimportant here. It's the process doing the access (in your concrete case it's the shell running in the terminal): it it has already access to the directory in question (e.g. by an open file descriptor, which it has, courtesy of the "current working directory"), then just that directory's permission apply. If you want to travel the whole way down (e.g. in the case of "open", when provided with a full path), all the intermediate directories play a role. Read the manpage. Very instructive. Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlqfzgQACgkQBcgs9XrR2kYfiwCeLBgYBIFzeWbFa+hPvEpkGtVL 52kAniuOGfVG6rAsNz4XW2JTuAZr7vIG =fztW -----END PGP SIGNATURE-----
