Re: Permissions Question & Re: Permissions advice needed

2007-01-09 Thread Kirk Strauser
On Tuesday 09 January 2007 1:01 pm, [EMAIL PROTECTED] wrote:

> On 1/8/07, Kirk Strauser <[EMAIL PROTECTED]> wrote:

>> You could configure sudo to give him access to run that one
>> command as root.

> One has to be very careful about giving out such access!
> root has much power.

Hence "sudo", where you're giving them exactly one permission: the ability 
to execute one specific read-only command.
-- 
Kirk Strauser


pgpiZgdAhrYaY.pgp
Description: PGP signature


RE: Permissions advice needed.

2007-01-09 Thread Brett Davidson
To clarify a point, the following line, 

This works well as this is the only non-root suid file on the system

should be replaced with 

This works well as this is the only "non-root accessable" suid file on
the system.

Cheers,
Brett.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Davidson
Sent: Wednesday, 10 January 2007 8:53 a.m.
To: freebsd-questions@freebsd.org
Subject: FW: Permissions advice needed.

-Original Message-
From: Malcolm Kay [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 9 January 2007 6:03 p.m.
To: freebsd-questions@freebsd.org
Cc: Brett Davidson
Subject: Re: Permissions advice needed.

On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote:
> I have a curious problem.
>
> I need an executable file to be owned by a user's uid and gid so they 
> can run it.

Malcolm: A user does not need to own a file to be able to run it. All
they need is execute permission. So what is the real problem?

Brett: This file is being run via suexec in Apache, so yes, both uid and
gid need to match in order for the file to be run. 
This particular system is running a shared-hosting webserver and
utilising php-cgi and suexec appears to be the easiest way of providing
inter-site isolation.
The only problem with that is that you need a wrapper in order to
provide customised php.ini settings for each site via the PHPRC
environment variable. That wrapper is the file I am concerned about
here.

> HOWEVER, I don't want them to be able to modify or delete the file 
> and/or it's permissions. Another program will do that.

Malcolm: Deleting or creating a file requires write access in the
directory containg the file reference -- it has nothing to do with the
permissions on the file itself.

Brett:I only want one particular file in the directory to be untouchable
so directory permissions aren't helpful. Directory permissions only go
part of the way as the file has to be read-only as well.

Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the
MAC_BSDEXTENDED filesystem firewall has been enhanced.

If I use that, make the file suid (harmless since it's already owned by
the user),  then the ugidfw rule below all works well :

"ugidfw add subject not uid 0 object suid rx"

This works well as this is the only non-root suid file on the system. In
other systems where this may not be the case the rule should still be
harmless as these suid files SHOULD only have rx permissions for
non-root users anyway. :-)

The only gotcha to that would be during program upgrades performed via a
non-root user; the rule will either need to be relaxed or an additional
specific rule could be placed above it to allow suid modifications to
any specific non-root owned programs that may be in place. 

Cheers,
Brett.


>
> This, under standard Unix permissions, is a tad difficult. :-)
>
> ACL's don't help here as the owner of a file has the ability to change

> permissions.
>
> I could set the immutable bit (Linux term for the schg flag) but the 
> modifying program does not recognise this flag and will thus fail to 
> modify the file.
> (I have no control over the modifying program).
>
> Any ideas?
>
> I don't want to go down the line of using BSD MAC but I'm starting to 
> think I may have too just to be able to prevent the user from 
> modifying ONE file! (I'm not even sure I could implement this using 
> MAC anyway).
>
> Cheers,
> Brett.
> ___
> freebsd-questions@freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


RE: Permissions advice needed.

2007-01-09 Thread Brett Davidson
Unfortunately, as I expounded to Malcolm Lay, in this application (a
shared-hosting webserver) suexec is being used which does not traverse
symbolic links. :-(
 
MAC_BSDEXTENDED in Bsd6.2 solves the problem very nicely.
 
Cheers,
Brett.
 
 



From: George Vanev [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 9 January 2007 7:42 p.m.
To: Brett Davidson
Subject: Re: Permissions advice needed.


Brett,
 
Why don't you make a symbolic link to that file.
You may set read, write and execute permissions if you wish... doesn't
matter.
The users will be able to run your executable via the link,
but they won't be able to modify it.

 
On 1/8/07, Brett Davidson <[EMAIL PROTECTED]> wrote: 

I have a curious problem.

I need an executable file to be owned by a user's uid and gid so
they 
can run it.
HOWEVER, I don't want them to be able to modify or delete the
file
and/or it's permissions. Another program will do that.

This, under standard Unix permissions, is a tad difficult. :-) 

ACL's don't help here as the owner of a file has the ability to
change
permissions.

I could set the immutable bit (Linux term for the schg flag) but
the
modifying program does not recognise this flag and will thus
fail to 
modify the file.
(I have no control over the modifying program).

Any ideas?

I don't want to go down the line of using BSD MAC but I'm
starting to
think I may have too just to be able to prevent the user from
modifying 
ONE file! (I'm not even sure I could implement this using MAC
anyway).

Cheers,
Brett.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> "





-- 
George Vanev

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


FW: Permissions advice needed.

2007-01-09 Thread Brett Davidson
-Original Message-
From: Malcolm Kay [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 9 January 2007 6:03 p.m.
To: freebsd-questions@freebsd.org
Cc: Brett Davidson
Subject: Re: Permissions advice needed.

On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote:
> I have a curious problem.
>
> I need an executable file to be owned by a user's uid and gid so they 
> can run it.

Malcolm: A user does not need to own a file to be able to run it. All
they need is execute permission. So what is the real problem?

Brett: This file is being run via suexec in Apache, so yes, both uid and
gid need to match in order for the file to be run. 
This particular system is running a shared-hosting webserver and
utilising php-cgi and suexec appears to be the easiest way of providing
inter-site isolation.
The only problem with that is that you need a wrapper in order to
provide customised php.ini settings for each site via the PHPRC
environment variable. That wrapper is the file I am concerned about
here.

> HOWEVER, I don't want them to be able to modify or delete the file 
> and/or it's permissions. Another program will do that.

Malcolm: Deleting or creating a file requires write access in the
directory containg the file reference -- it has nothing to do with the
permissions on the file itself.

Brett:I only want one particular file in the directory to be untouchable
so directory permissions aren't helpful. Directory permissions only go
part of the way as the file has to be read-only as well.

Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the
MAC_BSDEXTENDED filesystem firewall has been enhanced.

If I use that, make the file suid (harmless since it's already owned by
the user),  then the ugidfw rule below all works well :

"ugidfw add subject not uid 0 object suid rx"

This works well as this is the only non-root suid file on the system. In
other systems where this may not be the case the rule should still be
harmless as these suid files SHOULD only have rx permissions for
non-root users anyway. :-)

The only gotcha to that would be during program upgrades performed via a
non-root user; the rule will either need to be relaxed or an additional
specific rule could be placed above it to allow suid modifications to
any specific non-root owned programs that may be in place. 

Cheers,
Brett.


>
> This, under standard Unix permissions, is a tad difficult. :-)
>
> ACL's don't help here as the owner of a file has the ability to change

> permissions.
>
> I could set the immutable bit (Linux term for the schg flag) but the 
> modifying program does not recognise this flag and will thus fail to 
> modify the file.
> (I have no control over the modifying program).
>
> Any ideas?
>
> I don't want to go down the line of using BSD MAC but I'm starting to 
> think I may have too just to be able to prevent the user from 
> modifying ONE file! (I'm not even sure I could implement this using 
> MAC anyway).
>
> Cheers,
> Brett.
> ___
> freebsd-questions@freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Permissions Question & Re: Permissions advice needed

2007-01-09 Thread [EMAIL PROTECTED]
The following suggestion should work for both problems and avoid the
difficulties I saw with the other solutions.
Write an executable (Korn shell) script owned by the owner of the
files to be examined (thus he should have all the access he needs)
which checks the user-id of its caller [effective and/or original]
(to make sure unauthorized users don't get access) and the current
date against an end-date (to shut off access at the desired date
automatically), probably use the julian date to make checking easier.

While I have your attention, does anybody know of jobs for any or all
of the following: C/C++, Korn shell scripts, and  SQL (Sybase) 
programmers.  I live in the NYC suburbs area (Rockland Cty) and
I'm willing to telecommute and maybe even relocate.  My resume can
be sent by email upon request.

On 1/8/2007, "Andy Greenwood" <[EMAIL PROTECTED]> wrote
>On 1/8/07, Kirk Strauser <[EMAIL PROTECTED]> wrote:
> On Monday 08 January 2007 12:07 pm, Jay Chandler wrote:
>
>> I've got a user who needs to be able to view (read only) the aliases
>> file.  We'll grant him root access a few weeks after the eventual
>> heat-death of the universe, so how would you all go about doing this?
>>
>> You could configure sudo to give him access to run that one
>> command as root.
One has to be very careful about giving out such access!
root has much power.

On 8 Jan 2007 13:24:58, Kirk Strauser <[EMAIL PROTECTED]> wrote
> On Monday 08 January 2007 12:57 pm, Andy Greenwood wrote:
>> I've never used them, but wasn't ACL written just for this scenario?

> Perhaps, but that seems like a lot more effort to accomplish a
> relatively easy job.
Would work, but it doesn't take into account the time limitation
(>> We'll grant him root access a few weeks).

On 8 Jan 2007 15:07:01, Robert Huff <[EMAIL PROTECTED]> wrote
> Jay Chandler writes:

(snip)
>> Hand him some sheets of printout?
Waste of paper (and trees).  Also, one can't use  UNIX  tools on the
data (e.g.,  grep , editors) to put some of the data in other docs.
>>   
>>  Sadly, the data change too often for this to be effective.

>   Copy the file evey N minutes, then change ownership and
> permissions?
Again, too much work for the owner.

On 08 Jan 2007 13:19:32 Jay Chandler <[EMAIL PROTECTED]> wrote
>Robert Huff wrote:
>> Jay Chandler writes:
>>
>>(snip)
>>  Copy the file evey N minutes, then change ownership and
>> permissions?
>>(snip)
> Probably the simplest way to do it-- just wanted to make sure I wasn't
> overlooking something silly.

> Thanks!
Too much work for the one copying unless he has a script do it
maybe as a  cron  job.


On 9 Jan 2007 08:43:11, "Brett Davidson" <[EMAIL PROTECTED]> wrote
(on Subject: Permissions advice needed.)
> 
> I have a curious problem.
> 
> I need an executable file to be owned by a user's uid and gid so they
> can run it.
A user can run a script/binary file whose uid and gid differ from his
(Just give "other" 'rx' permission.)
If you want to give such access only to one user, put him in an ACL.
Give him 'rx' permission; he won't be able to modify the file.
Anyway, why must the executable file be owned by the user running it?
> HOWEVER, I don't want them to be able to modify or delete the file
> and/or it's permissions. Another program will do that.

> This, under standard Unix permissions, is a tad difficult. :-)
"difficult"???  I don't see that.
> ACL's don't help here as the owner of a file has the ability to 
> change permissions.

> I could set the immutable bit (Linux term for the schg flag) but the
> modifying program does not recognise this flag and will thus fail to
> modify the file.
> (I have no control over the modifying program).

> Any ideas?


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Permissions advice needed.

2007-01-09 Thread Jay Chandler

Malcolm Kay wrote:

On Tue, 9 Jan 2007 04:02 pm, Garrett Cooper wrote:
  

Why does he need access to aliases though? For mail program
purposes? -Garrett



I think you may have mixed up two threads with very similar 
subject lines. I see no reference to aliases in this thread.

(Confusing isn't it)

Malcolm
  

Yeah, I pick interesting times to start threads it would seem. :-)

We're doing some group membership stuff through the aliases file, and 
this guy helps administer some of them in a tertiary sense.  The correct 
way to do this is of course through our LDAP directory, but that would 
of course make entirely too much sense...


--
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / [EMAIL PROTECTED]
Today's Excuse: user to computer ratio too high. 


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Permissions advice needed.

2007-01-08 Thread Malcolm Kay
On Tue, 9 Jan 2007 04:02 pm, Garrett Cooper wrote:
> Malcolm Kay wrote:
> > On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote:
> >> I have a curious problem.
> >>
> >> I need an executable file to be owned by a user's uid and
> >> gid so they can run it.
> >
> > A user does not need to own a file to be able to run it. All
> > they need is execute permission. So what is the real
> > problem?
> >
> >> HOWEVER, I don't want them to be able to modify or delete
> >> the file and/or it's permissions. Another program will do
> >> that.
> >
> > Deleting or creating a file requires write access in the
> > directory containg the file reference -- it has nothing to
> > do with the permissions on the file itself.
> >
> > Malcolm
> >
> >> This, under standard Unix permissions, is a tad difficult.
> >> :-)
> >>
> >> ACL's don't help here as the owner of a file has the
> >> ability to change permissions.
> >>
> >> I could set the immutable bit (Linux term for the schg
> >> flag) but the modifying program does not recognise this
> >> flag and will thus fail to modify the file.
> >> (I have no control over the modifying program).
> >>
> >> Any ideas?
> >>
> >> I don't want to go down the line of using BSD MAC but I'm
> >> starting to think I may have too just to be able to prevent
> >> the user from modifying ONE file! (I'm not even sure I
> >> could implement this using MAC anyway).
> >>
> >> Cheers,
> >> Brett.
>
> Make a specialized setuid script or program to do that, and
> set the sticky bit appropriately if you don't want them to
> have direct access to the file. Just make sure that others
> don't have access to the file.
>
> Why does he need access to aliases though? For mail program
> purposes? -Garrett

I think you may have mixed up two threads with very similar 
subject lines. I see no reference to aliases in this thread.
(Confusing isn't it)

Malcolm

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Permissions advice needed.

2007-01-08 Thread Garrett Cooper

Malcolm Kay wrote:

On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote:
  

I have a curious problem.

I need an executable file to be owned by a user's uid and gid
so they can run it.



A user does not need to own a file to be able to run it. All they 
need is execute permission. So what is the real problem?


  

HOWEVER, I don't want them to be able to modify or delete the
file and/or it's permissions. Another program will do that.



Deleting or creating a file requires write access in the 
directory containg the file reference -- it has nothing to do 
with the permissions on the file itself.


Malcolm

  

This, under standard Unix permissions, is a tad difficult. :-)

ACL's don't help here as the owner of a file has the ability
to change permissions.

I could set the immutable bit (Linux term for the schg flag)
but the modifying program does not recognise this flag and
will thus fail to modify the file.
(I have no control over the modifying program).

Any ideas?

I don't want to go down the line of using BSD MAC but I'm
starting to think I may have too just to be able to prevent
the user from modifying ONE file! (I'm not even sure I could
implement this using MAC anyway).

Cheers,
Brett.
Make a specialized setuid script or program to do that, and set the 
sticky bit appropriately if you don't want them to have direct access to 
the file. Just make sure that others don't have access to the file.


Why does he need access to aliases though? For mail program purposes?
-Garrett
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Re: Permissions advice needed.

2007-01-08 Thread Malcolm Kay
On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote:
> I have a curious problem.
>
> I need an executable file to be owned by a user's uid and gid
> so they can run it.

A user does not need to own a file to be able to run it. All they 
need is execute permission. So what is the real problem?

> HOWEVER, I don't want them to be able to modify or delete the
> file and/or it's permissions. Another program will do that.

Deleting or creating a file requires write access in the 
directory containg the file reference -- it has nothing to do 
with the permissions on the file itself.

Malcolm

>
> This, under standard Unix permissions, is a tad difficult. :-)
>
> ACL's don't help here as the owner of a file has the ability
> to change permissions.
>
> I could set the immutable bit (Linux term for the schg flag)
> but the modifying program does not recognise this flag and
> will thus fail to modify the file.
> (I have no control over the modifying program).
>
> Any ideas?
>
> I don't want to go down the line of using BSD MAC but I'm
> starting to think I may have too just to be able to prevent
> the user from modifying ONE file! (I'm not even sure I could
> implement this using MAC anyway).
>
> Cheers,
> Brett.
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


Permissions advice needed.

2007-01-08 Thread Brett Davidson
I have a curious problem.

I need an executable file to be owned by a user's uid and gid so they
can run it.
HOWEVER, I don't want them to be able to modify or delete the file
and/or it's permissions. Another program will do that.

This, under standard Unix permissions, is a tad difficult. :-)

ACL's don't help here as the owner of a file has the ability to change
permissions.

I could set the immutable bit (Linux term for the schg flag) but the
modifying program does not recognise this flag and will thus fail to
modify the file.
(I have no control over the modifying program).

Any ideas?

I don't want to go down the line of using BSD MAC but I'm starting to
think I may have too just to be able to prevent the user from modifying
ONE file! (I'm not even sure I could implement this using MAC anyway).

Cheers,
Brett.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"