Hi all,
Let's say that I want to restrict access to a directory hierarchy
under 'mytopdir' to members of a particular group 'mygroup', on a
Linux ext3 filesystem, running kernel version 2.6.x or higher.
(1) Is it sufficient to change the permissions of the top level
directory to 750 and the group to mygroup?
chgrp mygroup mytopdir
chmod 750 mytopdir
(2) Or must the permissions and group ID be set all the way down
through the directory hierarchy (with a setgid bit set on directories
to ensure the same group ID for new files)?
chgrp -R mygroup mytopdir
chmod -R g+rX,o-rwx mytopdir
find mytopdir -type d -print | xargs chmod g+s
In the first case, I could envision some program (e.g. e2fsck and/or
debugfs) that is able to access the inode of an unprotected lower
level directory and then access the files in that directory.
But as far as I can tell, any /sbin program of that sort requires
root-level access to play with the filesystem that way, and if you
have root-level access you might as well traverse the filesystem
without worrying about inode hacks.
Question: Is (1) a secure enough method, assuming that root hasn't
been compromised and that a hacker or malicious user isn't a member of
'mygroup'?
I have been recommending approach (2) to users to avoid even the
*appearance* that access-controlled files do not have restrictions [it
is also helpful in the event that a subdirectory is copied somewhere
else in the filesystem] but there are cases in which (1) would be the
only practical approach, for example if you want to enforce that a
user must be a member of two groups:
umask 027
mkdir group1dir
chgrp group1 group1dir
cd group1dir
mkdir group2dir
chgrp group2 group2dir
# Do group1 + group2 work under group1dir/group2dir/* ...
Thanks,
Ted
--
Frango ut patefaciam -- I break so that I may reveal
