[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help! File permissions keep changing...

On Wed, 18 Feb 2004 23:30, Kristopher Matthews <krism@evilpen.net> wrote:
> > This is a security nightmare. I would *not* recommend doing any such
> > thing in a user filesystem.
>
> You're making the assumption that he LIKES his users. :)

It's not a matter of whether the admin likes his users, it's whether they like 
him.

A hostile user can create a hard link to /etc/shadow, /etc/passwd, etc in 
their home directory.  Then such a recursive chown will give the hostile user 
root on the machine.

If you are going to change such things then you need to use the -uid or -gid 
options to find (depending on whether you are changing the UID or GID), and 
you need to do it when the machine is in single-user mode (IE no-one can 
login and cron jobs can't run).

The other way of doing it properly is to write a program that open's each 
file, calls fstat() to check the UID/GID, then uses fchown() or fchmod().

It would be nice if someone was to patch the -R option of chown/chgrp/chmod in 
coreutils to do this sort of thing.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
Reply to: