Date: Wed, 6 Aug 2008 15:27:49 -0400 From: John Almberg <jalmberg@identry.com> To: glarkin@FreeBSD.org Cc: freebsd-questions@freebsd.org Subject: Re: Controlling read access Message-ID: <D91612D3-21D7-4D25-AC66-A96393EC34D7@identry.com> In-Reply-To: <4899DD4E.2080005@FreeBSD.org> References: <26259A11-0CE7-43FB-878C-1A989C1EB006@identry.com> <3A0AA7018522134597ED63B3B794C92A0284D829@STA-HQ-S001.starcomms.local> <E8A4465F-0D48-46F9-A5ED-B56E65BF05EB@identry.com> <3A0AA7018522134597ED63B3B794C92A028ECB61@STA-HQ-S001.starcomms.local> <8722E123-56D1-4CA0-8F57-DB0FB299EBD3@identry.com> <4899CEA9.6030209@FreeBSD.org> <578DE0D9-C68B-4D57-93E8-9D517166EA9D@identry.com> <4899DD4E.2080005@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> | Hi Greg, > | > | I tried your sequence, but it didn't seem to work. Or, perhaps it > worked > | and the PRIVSEP option doesn't do what I expect it to. Logging in > as a > | normal user gives that user root privileges. > | > | This seems pretty scary to me. Not so bad, since the user is > locked into > | his own directory, but enough power to hurt themselves, which is too > | much power, IMHO. My users aren't experts. I can definitely see them > | clicking the delete key by accident. > | > | Back to digging for info... > | > | Thanks: John > | > > Hi John, > > After logging into pure-ftpd, even if I type "cd /", I cannot break > out > of my home directory. Because of the way UNIX permissions work, if > root > ~ (or any other user) owns a file in my home directory, I can still > delete it. > If you want to prevent that, you'll have to also use the > chflags command to protect file that you don't want to be removed by > anyone. > Wow... I learn something new in this job every day, but usually not as new as that. This completely revises what I thought I knew about permissions. If you had asked me this morning if I could delete a file owned by root with permissions set to 400 from my own directory, I would have said absolutely not. How wrong I would have been... I guess I can do this because I own the directory that the foreign file is in, and I should have control over that directory... Yes... If I create a directory within my own home directory and change the ownership of that directory to root:nobody, then I cannot delete any file in that directory. Okay, this is starting to make sense. I guess I just never noticed this small detail of Unix file permissions. Very interesting! I skimmed through the chflags section of "Absolute FreeBSD" on my first read through... It rang a bell when you mentioned it, but I'd completely forgotten about it. I'm going to read it much more carefully this time :-) Anyway, thanks to everyone who has helped me out with my week-long struggle with 'simple' old FTP. "Challenge your assumptions." That's the lesson of *this* week! Brgds: John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D91612D3-21D7-4D25-AC66-A96393EC34D7>