Re: Help! File permissions keep changing...
On Wed, 18 Feb 2004 23:30, Kristopher Matthews <krism@evilpen.net> wrote:
> > This is a security nightmare. I would *not* recommend doing any such
> > thing in a user filesystem.
>
> You're making the assumption that he LIKES his users. :)
It's not a matter of whether the admin likes his users, it's whether they like
him.
A hostile user can create a hard link to /etc/shadow, /etc/passwd, etc in
their home directory. Then such a recursive chown will give the hostile user
root on the machine.
If you are going to change such things then you need to use the -uid or -gid
options to find (depending on whether you are changing the UID or GID), and
you need to do it when the machine is in single-user mode (IE no-one can
login and cron jobs can't run).
The other way of doing it properly is to write a program that open's each
file, calls fstat() to check the UID/GID, then uses fchown() or fchmod().
It would be nice if someone was to patch the -R option of chown/chgrp/chmod in
coreutils to do this sort of thing.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: