From owner-freebsd-questions@FreeBSD.ORG Sun Mar 30 02:15:11 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 168F337B401 for ; Sun, 30 Mar 2003 02:15:11 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93BB443FBF for ; Sun, 30 Mar 2003 02:15:09 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h2UAF6aA046387 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 30 Mar 2003 11:15:07 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h2UAF6wS046386 for questions@freebsd.org; Sun, 30 Mar 2003 11:15:06 +0100 (BST) Date: Sun, 30 Mar 2003 11:15:06 +0100 From: Matthew Seaman To: questions@freebsd.org Message-ID: <20030330101506.GA46080@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , questions@freebsd.org References: <20030330031118.A5033@skytrackercanada.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FL5UXtIhxfXey3p5" Content-Disposition: inline In-Reply-To: <20030330031118.A5033@skytrackercanada.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.50 X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: file permission baffle X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 10:15:12 -0000 --FL5UXtIhxfXey3p5 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 30, 2003 at 03:11:18AM -0500, David Banning wrote: > I have these links from my web directory;=20 >=20 > root# cd /usr/local/www/data/fax/ > root# ls -l >=20 > lrwxr-xr-x 1 root wheel 18 Mar 29 16:37 chantelle -> /usr/chantelle/fax > lrwxrwxrwx 1 root wheel 14 Mar 10 00:15 david -> /usr/david/fax >=20 > I can't change the permissions on them. It's because the permissions > are dependent on the linked directory right? Doesn't seem so; You can use 'chmod -h' to change the permissions on the link itself. eg. % ln -s bar baz=20 /tmp/foo:% ls -la=20 total 0 -rw-r--r-- 1 matthew wheel 0 Mar 30 10:13 bar lrwxr-xr-x 1 matthew wheel 3 Mar 30 10:14 baz@ -> bar % chmod -h 664 baz=20 % ls -la=20 total 0 -rw-r--r-- 1 matthew wheel 0 Mar 30 10:13 bar lrw-rw-r-- 1 matthew wheel 3 Mar 30 10:14 baz@ -> bar When you open a file or directory via a symbolic link, first you need sufficient permissions to read the link itself --- think of it as a tiny little file that simply contains the name of the file that should really be opened. However, once that has been done, the system automatically switches to opening the link target instead, and it's the permissions on the target and its containing directory that have the most effect practically. There's a '-h' flag to chown(1) that works equivalently for changing ownership. However, in general, you don't need to fiddle with link permissions and ownership. root:wheel ownership and lrwxrwxrwx permissions will work just fine. =20 > root# ls -ld /usr/chantelle/fax > drwxrwxrwx 2 chantelle wheel 512 Mar 30 02:26 /usr/chantelle/fax > root# ls -ld /usr/david/fax > drwxrwxrwx 2 david wheel 512 Mar 30 02:40 /usr/david/fax > root#=20 >=20 > Even going further upstream doesn't show anything; >=20 > root# ls -ld /usr/chantelle > drwxr-xr-x 7 chantelle wheel 1024 Mar 29 23:13 /usr/chantelle > root# ls -ld /usr/david > drwxr-xr-x 68 david wheel 5632 Mar 29 22:23 /usr/david >=20 > I am having a problem writing to the top dir shown, (chantelle) > but not the following one (david). Hmmm... I think you're barking somewhat up the wrong tree here. Permissions are too lax, if anything --- I'd certainly change the permissions on those personal fax directories to 755 or 775. The question is, what is the UID of the process that is attempting to write to those fax directories? Is it a well known Fax management package or something home brewed? Either way permissions need to be controlled. The process either has to have a real UID of root and be able to set it's effective UID to the owner of the directory (see seteuid(2)), or it has to belong to the same group as the group ownership of the directories, and group write permission has to be set on the directories. In the latter case, it helps to make sure that any files created also have group write permission or the directory owner won't be able to modify them. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --FL5UXtIhxfXey3p5 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+hsOqdtESqEQa7a0RAsAQAJ4q5CI8Jx2lx6+N56X7MnSKy7QiNwCghJWu /4dE8bc8zqhO50nqqAjFfo8= =kvqw -----END PGP SIGNATURE----- --FL5UXtIhxfXey3p5--