Re: permissions in general (WAS: Re: permissions in /sbin)
On Wed, 5 Dec 2007 16:58:59 +0100
"Martin Marcher" <martin@marcher.name> wrote:
> Hi,
>
> jumping in.
>
> On 12/4/07, andy <geek_show@dsl.pipex.com> wrote:
> > ls -l /sbin is all
> >
> > -rwxr-xr-x 1 root root ...
>
> I understand this issue. What I don't get is why it seems to be the
> overall default that others may read and execute files in most cases.
>
> To me it would make sense to have something like (very naive right
> now, hope you get the idea):
>
> /bin root:users rwxr-x---
> /sbin root:adm rwxr-x---
> /usr/bin root:users rwxr-x---
> /usr/sbin root:adm rwxr-x---
I do get your idea, but have a look at /bin! You will find some very
important stuff there, like bash, login and cat, but many more, that
every user should be able to use.
I also get that you want to enable every user by adding r-x rights to
the users group, but there are a few "users" that are not members of
the users group, such as www-data (Apache's "user") and postgres. They
also need those binaries.
> and so on. Using acl's it would be very easy to add even more groups.
> I think the explicit adding of others would make a lot of sense and
> secure the system in a standard way.
>
> I guess it's more a historical reason that others can r+x most of the
> system but I can see a lot of benefits in denying others by default
> (of course there's a lot of work involved to migrate from the current
> permission schema that's at least a serious drawback)
>
> What do you think?
>
--
Szia:
Nyizsa.
----------------------------------------------------------------------
Get a free email address with REAL anti-spam protection.
http://www.bluebottle.com/tag/1
Reply to: