From owner-freebsd-questions@FreeBSD.ORG Tue Jan 9 20:07:13 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 92C6D16A415 for ; Tue, 9 Jan 2007 20:07:13 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from srv.exchange.net24.net.nz (srv.exchange.net24.net.nz [210.55.4.16]) by mx1.freebsd.org (Postfix) with ESMTP id 1DB8D13C45B for ; Tue, 9 Jan 2007 20:07:12 +0000 (UTC) (envelope-from brett@net24.co.nz) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 10 Jan 2007 09:07:11 +1300 Message-ID: <60224D09909C0B43A50935A0893D8FF31DA352@srv.exchange.net24.net.nz> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Permissions advice needed. Thread-Index: AcczqygaL2XBwhx+RL20YRVv28Tb5wAeoD4gAACF3SAAAHBdYA== From: "Brett Davidson" To: Subject: RE: Permissions advice needed. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jan 2007 20:07:13 -0000 To clarify a point, the following line,=20 This works well as this is the only non-root suid file on the system should be replaced with=20 This works well as this is the only "non-root accessable" suid file on the system. Cheers, Brett. -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Brett Davidson Sent: Wednesday, 10 January 2007 8:53 a.m. To: freebsd-questions@freebsd.org Subject: FW: Permissions advice needed. -----Original Message----- From: Malcolm Kay [mailto:malcolm.kay@internode.on.net] Sent: Tuesday, 9 January 2007 6:03 p.m. To: freebsd-questions@freebsd.org Cc: Brett Davidson Subject: Re: Permissions advice needed. On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: > I have a curious problem. > > I need an executable file to be owned by a user's uid and gid so they=20 > can run it. Malcolm: A user does not need to own a file to be able to run it. All they need is execute permission. So what is the real problem? Brett: This file is being run via suexec in Apache, so yes, both uid and gid need to match in order for the file to be run.=20 This particular system is running a shared-hosting webserver and utilising php-cgi and suexec appears to be the easiest way of providing inter-site isolation. The only problem with that is that you need a wrapper in order to provide customised php.ini settings for each site via the PHPRC environment variable. That wrapper is the file I am concerned about here. > HOWEVER, I don't want them to be able to modify or delete the file=20 > and/or it's permissions. Another program will do that. Malcolm: Deleting or creating a file requires write access in the directory containg the file reference -- it has nothing to do with the permissions on the file itself. Brett:I only want one particular file in the directory to be untouchable so directory permissions aren't helpful. Directory permissions only go part of the way as the file has to be read-only as well. Anyway, for what it's worth, I have found a fix; in FreeBSD 6.2 the MAC_BSDEXTENDED filesystem firewall has been enhanced. If I use that, make the file suid (harmless since it's already owned by the user), then the ugidfw rule below all works well : "ugidfw add subject not uid 0 object suid rx" This works well as this is the only non-root suid file on the system. In other systems where this may not be the case the rule should still be harmless as these suid files SHOULD only have rx permissions for non-root users anyway. :-) The only gotcha to that would be during program upgrades performed via a non-root user; the rule will either need to be relaxed or an additional specific rule could be placed above it to allow suid modifications to any specific non-root owned programs that may be in place.=20 Cheers, Brett. > > This, under standard Unix permissions, is a tad difficult. :-) > > ACL's don't help here as the owner of a file has the ability to change > permissions. > > I could set the immutable bit (Linux term for the schg flag) but the=20 > modifying program does not recognise this flag and will thus fail to=20 > modify the file. > (I have no control over the modifying program). > > Any ideas? > > I don't want to go down the line of using BSD MAC but I'm starting to=20 > think I may have too just to be able to prevent the user from=20 > modifying ONE file! (I'm not even sure I could implement this using=20 > MAC anyway). > > Cheers, > Brett. > _______________________________________________ > freebsd-questions@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"