Re: suid binaries should not be writable by owner
>>>>> "Joey" == Joey Hess <joeyh@debian.org> writes:
Joey> Argh, egg on face: linux lets the owner of a file modify it
Joey> even if it is mode 444 and in a directory they do not
Joey> own. Yuck! Is this standard unix semantics? It sucks.
The directory is irrelevant - you are not changing the directory, only
a file (technically the inode) within.
However, I am a bit surprised you can edit the file, normally you
would have to make it 644 first. Perhaps your editor or whatever
does this for you?
As an example:
[578] [snoopy:bam] /tmp/a >ls -l
total 0
-r--r--r-- 1 bam root 0 Feb 6 14:30 b
[579] [snoopy:bam] /tmp/a >echo aaa >> b
zsh: permission denied: b
[580] [snoopy:bam] /tmp/a >chmod 644 b
[581] [snoopy:bam] /tmp/a >echo aaa >> b
Where a has:
drwxr-xr-x 2 root root 4096 Feb 6 14:30 ./
This is standard Unix semantics.
Sooo... your proposal might get a little gain in security, but not
much, since the owner of the file can just turn on write permission
anyway.
--
Brian May <bam@debian.org>
Reply to: