-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Mar 07, 2018 at 12:42:19PM +0100, epsilon...@tutanota.com wrote: > OK thanks for the explanations. > To make sure: > 1.) To prevent this scenario, I have to do recursive chown and chmod.
I don't quite understand what you mean by "scenario": that a process under the uid of "aristo" can modify the subdirectory "apple"? If you don't want that, yes, you'll have to change its owner (or group) and set its permissions accordingly. > 2.) If I chmod only /opt/experiment, there is absolutely no other way to > access apple, other than an already open terminal. Forget the terminal. It's the shell (in this case: it could be any process in other cases). There are other ways, see below: > Correct? Not quite: try su cd /opt/experiments/apple su aristo touch ccc # now I modified dir apple as user aristo Or better with sudo, anyway: sudo -s cd /opt/experiments/apple sudo -u aristo -s touch ccc # now I modified dir apple as user aristo "You" just need a "helper process" which can traverse experiments and gives "you" [1] an open descriptor to "apple". There are other ways to pass open file descriptors around in Unix-like systems. Quite possibly you can use them in a similar way. [1] "You" is here just a shorthand for "the process running under the aristo UID which can't by itself open the whole path /opt/experiments/apple) Cheers - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlqf1JMACgkQBcgs9XrR2kaklACfSWlqj3k/6iQwTxYs0RkOZaih hB4An1eP+iVNa8uy7W1rrgQyS0KA1AIc =uHKo -----END PGP SIGNATURE-----