From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 24 12:54:33 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DEDEB106566B
	for <freebsd-questions@freebsd.org>;
	Fri, 24 Feb 2012 12:54:32 +0000 (UTC)
	(envelope-from mexas@bristol.ac.uk)
Received: from dirj.bris.ac.uk (dirj.bris.ac.uk [137.222.10.78])
	by mx1.freebsd.org (Postfix) with ESMTP id 978338FC18
	for <freebsd-questions@freebsd.org>;
	Fri, 24 Feb 2012 12:54:32 +0000 (UTC)
Received: from ncsc.bris.ac.uk ([137.222.10.41])
	by dirj.bris.ac.uk with esmtp (Exim 4.72)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1S0ufP-0004Te-CD; Fri, 24 Feb 2012 12:54:31 +0000
Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241])
	by ncsc.bris.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72)
	(envelope-from <mexas@bris.ac.uk>)
	id 1S0ufP-00017e-4v; Fri, 24 Feb 2012 12:54:31 +0000
Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1])
	by mech-cluster241.men.bris.ac.uk (8.14.5/8.14.5) with ESMTP id
	q1OCsURL008084; Fri, 24 Feb 2012 12:54:30 GMT
	(envelope-from mexas@bris.ac.uk)
Received: (from mexas@localhost)
	by mech-cluster241.men.bris.ac.uk (8.14.5/8.14.5/Submit) id
	q1OCsUGN008083; Fri, 24 Feb 2012 12:54:30 GMT
	(envelope-from mexas@bris.ac.uk)
X-Authentication-Warning: mech-cluster241.men.bris.ac.uk: mexas set sender to
	mexas@bris.ac.uk using -f
Date: Fri, 24 Feb 2012 12:54:30 +0000
From: Anton Shterenlikht <mexas@bristol.ac.uk>
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Message-ID: <20120224125430.GB8026@mech-cluster241.men.bris.ac.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	freebsd-questions@freebsd.org
References: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>
	<4F47598A.9080400@infracaninophile.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4F47598A.9080400@infracaninophile.co.uk>
User-Agent: Mutt/1.4.2.3i
Cc: freebsd-questions@freebsd.org
Subject: Re: negative group permissions?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 12:54:33 -0000

On Fri, Feb 24, 2012 at 09:34:02AM +0000, Matthew Seaman wrote:
> On 24/02/2012 09:08, Anton Shterenlikht wrote:
> > Recently I started seeing this line
> > in daily security output:
> > 
> >   Checking negative group permissions:
> >   70834 -rw-r----x  1 root  daemon  4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq
> > 
> > I've a parallel printer attached to
> > a 9.9-CURRENT #2 r230787M box.
> > 
> > What does it mean?
> 
> This means that non-root users in group daemon have only read
> permissions on that file.  Users that aren't root and that aren't in
> group daemon have execute permission only.
> 
> It does look a bit odd, and I believe that file would just contain a job
> number (IIRC -- haven't dealt much with lpd or lprng much recently)
> so executing it doesn't really achieve anything.
> 
> This is the standard idiom to allow access for 'everyone, except members
> of a particular group.'

yes, I get this.


> One way you can get weird permissions is if you happen to use decimal
> for permissions bitmaps rather than octal.  A umask of '77' is not the
> same thing at all as a umask of '077'.  (It's effectively 0115, which
> doesn't make much sense to me.)  Most shells nowadays will assume you
> mean octal whether you include the leading zero or not: the same is not
> true if you use umask(2) to set the mask programatically.  Ditto for
> other places you can set permissions like open(2) with O_CREAT or mkdir(2).

# umask
0022
# pwd
/var/spool/output/lpd
# ls -al
total 8
drwxr-xr-x  2 root  daemon  512 Feb 24 12:43 .
drwxr-xr-x  3 root  daemon  512 Mar  9  2010 ..
-rw-rw-r--  1 root  daemon   41 Feb 21 12:54 lock
-rw-rw-r--  1 root  daemon   25 Feb 21 12:54 status
#

Then I print something:

% pwd | lpr

Then this .seq file appears with weird permissions:

# ls -al
total 10
drwxr-xr-x  2 root  daemon  512 Feb 24 12:46 .
drwxr-xr-x  3 root  daemon  512 Mar  9  2010 ..
-rw-r----x  1 root  daemon    4 Feb 24 12:45 .seq
-rw-rw-r--  1 root  daemon   41 Feb 24 12:45 lock
-rw-rw-r--  1 root  daemon   25 Feb 24 12:45 status
# 

# cat .seq 
001
#

So presumably lpd(8) created this file, but I'm still
unsure why permissions are so strange. But interests
me more, is why I didn't see it until about 1-2 months
ago? Has something chaged in -current, e.g. in open(2)
like you suggest? Or has I messed up with my setup?
Or maybe it was always like this, but the security
check didn't pick it up?

> 
> > Should I be worried?
> 
> No more than a normal level of paranoia is indicated here.

Thanks

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423