[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: permissions in general (WAS: Re: permissions in /sbin)



On Wednesday 05 December 2007 07:58:59 Martin Marcher wrote:
> On 12/4/07, andy <geek_show@dsl.pipex.com> wrote:
> > ls -l /sbin is all
> >
> > -rwxr-xr-x 1 root root   ...
>
> I understand this issue. What I don't get is why it seems to be the
> overall default that others may read and execute files in most cases.
>
> To me it would make sense to have something like (very naive right
> now, hope you get the idea):
>
> /bin root:users rwxr-x---
> /sbin root:adm rwxr-x---
> /usr/bin root:users rwxr-x---
> /usr/sbin root:adm rwxr-x---
>
> and so on. Using acl's it would be very easy to add even more groups.
> I think the explicit adding of others would make a lot of sense and
> secure the system in a standard way.
>
> I guess it's more a historical reason that others can r+x most of the
> system but I can see a lot of benefits in denying others by default
> (of course there's a lot of work involved to migrate from the current
> permission schema that's at least a serious drawback)

There's very little value to blocking read or execute access to
executables.  A user could compile or download their own
executable in their own home directory to do the same job.

Instead we control what executables can do, e.g. by limiting
which files can be read or written (by any/all executables).

--Mike Bird



Reply to: