How secure are nested/indirect file access restrictions?

To: debian-user@lists.debian.org
Subject: How secure are nested/indirect file access restrictions?
From: Andreas Born <debian@abotech.de>
Date: Tue, 10 Jan 2017 13:29:17 +0100
Message-id: <[🔎] 2cc03d4e-b370-98c4-21cb-01de906cb700@abotech.de>

Hello!

Let's assume the following file permissions:

drwxr-xr-x root  root     /srv
drwxr-x--- root  srv-www  /srv/www
drwxrws--x root  dev-1    /srv/www/dom-1
-rw-rw-r-- usr-1 dev-1    /srv/www/dom-1/index.php

While the html subfolder perms allow write access only to root and users
within dev-1, index.php would be world-readable, but "indirectly" filtered by
the perms of www, which denies access to anyone that is not a group member of
srv-www. (of course, any member of dev-1 must be a member of srv-www, too)

The idea is to distinct between one user (file-owner), one group with write
access (e.g. developer) and one group with limited read access (webserver),
and to deny access to anyone else at the same time, using standard unix access
rights.

Are there any security implications?

By now, I only came across that remounting the file structure would break the
permissions in effect. But (re)mounting shall be allowed by root only.

/andy

Reply to:

Prev by Date: Re: systemd requires "plymouth" on server? (was: Systemd: no error but "maintenance mode")
Next by Date: Re: Failure searching forfile known to exist
Previous by thread: Re: Dependency problem with virtualbox-guest-x11
Next by thread: Re: Is anyone else experiencing intermittent Plasma freezes as of very recently?
Index(es):
- Date
- Thread