[olug] share a folder rw, but not deletable?

Thom Harrison id4spam at cox.net
Fri Mar 28 23:19:37 UTC 2003


I put on my black hat ( a brand new one since I'm not much of a hacker ),
and thought: "if the directory has world rwx perms, what can I do with an
editor?"

vim /aaa/bbb pulled up some directory information just fine but I couldn't
modify it ==>  "cannot make changes, modifiable is off"

Easy enough, ":set modifiable" allowed me to edit the directory.  Saving it
however, wasn't so easy.
:set write               and
:set buftype=         didn't allow me to save the new directory.

I didn't have any luck with hexedit or sed either and I'm not very
proficient with emacs.

Anyway, are directories actually protected by the kernel or is there some
nasty editor out there that could actually edit directories directly and
maybe bypass some of the security rules?

Thom

Side note:  I realize I'm probably gonna muck things up pretty good if I
succeed but what the heck, that's what backups are for...   :-)
Actually, it would only take about 5 minutes to rebuild my system using
rsync between my two PCs.


----- Original Message -----
From: "Jay Hannah" <jay at jays.net>
To: "Omaha Linux User Group" <olug at olug.org>
Sent: Thursday, March 27, 2003 8:04 AM
Subject: Re: [olug] share a folder rw, but not deletable?


>
> Brian Wiese wrote:
> > |A user can delete a directory only if they have write permissions to
the
> > |directory above the directory in question.
> >
> > Great, this... 'will work' and I can make it happen, thanks!  I'm really
> > starting to realize just how limited a filesystems is without mandatory
> > and discretionary access control lists.  It's just an odd thing to keep
in
> > mind (of several I've discovered) difference between Unix and Windows
NTFS
> > file systems... where you can give a user "delete" permissions.
>
> Limited? How so? What can't you do? Once you spend a half hour learning
> it, Unixy file permissioning is easy. I've never bothered to care about
> WinX file permissioning. (I am not an MS admin.)
>
> > Next Q: Anyone know of any good alternative unix filesystems (non
ext2/3)
> > that have more access control built in?
>
> I applaud your bravery -grin-, but that seems like a lot of work to me.
> Again, what can't you do?
>
> Thom Harrison wrote:
> > The only possible problem is that the users can't delete any other files
in
> > aaa either.  Apparently that's not a problem in Brian's case though.
>
> True. Good point. But it's hard for me to think of a real-world case
> where that would be a problem.
>
> > Another way to make the directory non-deletable by non-root users is set
the
> > directory "t" permission and create a file within the directory that is
> > owned by root.
>
> Ooo! Sneaky.  :)  Talking about the sticky bit will quickly disprove my
> "Unixy file permissioning is easy" assertion above. -grin-
>
> > The drawback is, of course, that a user has to own any files that they
want
> > to delete.  ( drawback? guess it depends on the situation ).
>
> In addition to that, I'm afraid that users may still be able to MOVE the
> directory in question. I assume Brian wanted to block that too. I messed
> around with a bunch of test cases, and whether or not you can move a
> sticky bitted directory seems to be a magical combination of directory
> and parent directory permissions. If the parent directory is locked
> down, you're fine. If not, you could have a problem. But that brings us
> away from sticky bits and back to my suggestion of parent directory
> control. -grin-
>
> After spending an hour researching when you can and can't move sticky
> bitted directories (on the same filesystem or across different
> filesystems), I'd be very surprised to find out that Brian needs
> something more complicated. Ugh. -laugh-
>
> Cheers,
>
> Jay Hannah
> Omaha Perl Mongers: http://omaha.pm.org
>



More information about the OLUG mailing list