Re: Changing permission in user's home directory

To: debian-user@lists.debian.org
Subject: Re: Changing permission in user's home directory
From: Bob Proulx <bob@proulx.com>
Date: Sat, 20 Dec 2014 19:05:44 -0700
Message-id: <[🔎] 20141220183533949135543.NoCcsPlease@bob.proulx.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 201412210111.32524.peter@arbitrary.ch>
References: <[🔎] 201412210111.32524.peter@arbitrary.ch>

Peter Gerber wrote:
> I want to change permission of a directory, recursively. The directory is a 
> subdirectory of a user's home directory.

Sure.  Okay.  People do that all of the time.

> Is there a way to do this in a secure and easy way with the user having full 
> write access to the home directory?

Huh?  What is the question again?

> Let's assume I would change the permissions as follows
> $ chgrp -R www-data ~user/subdir

Assuming the user has already been added to the www-group so that the
chgrp command will succeed.  If they haven't been then it will fail
with operation not permitted due to insufficient permissions.

> $ chmod -R g+rwX ~user/subdir

This requires the larger question of how your web server is set up.
The default group for the web server user is www-data.  Therefore this
now creates a directory where the web server can write.  This can be
fine.  Or it can be problematic.  And no matter what there will be
some people who want it one way and others a different way.

For example a lot of web setups want to have the web process able to
write to the web code.  That way the web site is installed from the
web.  The web site is updated from the web.  A lot of people think
that is okay.  But IMNHO that is too slack.  That type of setup is why
so many web sites get trivially hacked all of the time.  Instead I
insist that the web daemon cannot write to its own code.  No self
modifying code for me as an intentional security layer.  Yes,
sometimes I do feel like a salmon swimming upstream.  But no I have
never had a web server breach either.

Of course any site supporting file uploads must have some place that
can be written to by the web server.  So it isn't always bad.

> The issue is that the user could do something like this beforehand:
> $ mv ~user/subdir ~user/subdir2
> $ ln -s / ~user/subdir
> 
> Not a very nice thing to do, is it?

If the chgrp and chmod is run as the user then they will have no
permissions upon anything elsewhere.  It is safe for them to do this.
System security will prevent it.

The danger comes when root does this and when isn't careful.  I am
assuming that is your real question.  Root is the superuser.  With
great power comes great responsibility.  Root must not fall prey to
these social engineering attacks.  However the person is always the
weakest link in security.  That is why the most successful security
attacks are against people.

However in your example above you showed a '$' prompt indicating a
non-root use of chgrp and chown.  That is fine.  No possible harm
then.  Non-root won't have any capability outside their home then.  In
fact this is probably a good strategy for root.

  # su - user
  $ chgrp -R www-data ~user/subdir
  $ chmod -R g+rwX ~user/subdir

Or rather:

  # su user -c 'chgrp -R www-data ~user/subdir'
  # su user -c 'chmod -R g+rwX ~user/subdir'

> Well, I could just change the user's permission for the home directory as 
> follows:

You could.  But for what purpose?  What are you trying to accomplish
here?  This below doesn't follow from the www daemon writability
above.  At least I don't see it.  I need a hint. :-)

> $ chown root:users-group ~user

You need root for that.  The normal user doesn't have permission.

Changing the user's home directory to be owned by root _feels_ rude to
me.  The above is certainly fine since the user will still have
permissions and I think everything still works.  (SSH, Postfix,
others, will still validate the home as secure since it is the user or
root and in this case root.)

> $ chmod g+rwx,+t

The g+w will cause problems with some programs validating the security
of the user's directory.  It depends upon their code and how they were
compiled.  I think by default Debian's ssh and postfix will find the
g+w an invalid mode for the user and will therefore fail to accept any
$HOME/.ssh or $HOME/.forward files and so forth.  I don't think
Debian's are compiled for g+w mode by default.  Which is unfortunate
because UPG user private groups by default are a good thing.

> But this seems rather error-prone. Especially because I would have to adjust 
> the permission of quite a lot of directories, some of which are not even in 
> the top level of the users' home directories. Frankly, me forgetting
> to adjust the permissions of a few directories is just to great.

Please pull up a level and say what you are trying to accomplish.

> What I now would like to know is, is there an easier way to solve the issue. 
> Like teaching chmod not to follow links. Unfortunately, I haven't found a --
> make-sure-as-hell-not-to-follow-links-in-any-way parameter or anything the 
> like.

There is most definitely an easier way.  What issue were we trying to
solve again? :-)

Maybe the issue is a hint that root should (although perhaps rarely
does interactively, but should in automated scripts) operate from the
restriction of the user and not as the superuser.  The system will
protect itself from a non-priviledged user.

  # su user -c 'chgrp -R www-data ~user/subdir'

Or perhaps your '$' prompt is you?  Then use sudo?

  $ sudo -u user 'chgrp -R www-data ~user/subdir'

Bob

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Changing permission in user's home directory
  - From: Peter Gerber <peter@arbitrary.ch>

Prev by Date: Re: Changing permission in user's home directory
Next by Date: Re: Changing permission in user's home directory
Previous by thread: Re: Changing permission in user's home directory
Next by thread: gnome
Index(es):
- Date
- Thread