[ale] file and directory permission security

Dow Hurst dhurst at kennesaw.edu
Wed Jul 10 21:14:20 EDT 2002 

Here is a blurb taken from a page on file and directory security that 
talks about what I remembered reading somewhere.  It isn't as bad as I 
thought but could be a problem if you weren't careful setting permissions:
BEGIN-----------------------------

>Giving "others" execute permission on your home directory allows other
>users on the machine the ability to "cd" to your home directory and
>pass through it on the way to lower subdirectories (such as
>public_html).  Without "read" permission on the directory, however,
>they cannot directly obtain a listing of its contents.  But there's a
>catch: if an outside user already knows the name of a file in the directory
>AND read permission is given for others on that file, they will be
>able to view the contents of the file.
>
END----------------------------------


Dow Hurst wrote:

> At the last ALE-NW meeting, I said based on my memory of something I 
> thought I had read that you could have a world readable file in a 
> non-world readable directory and if another user knew the exact path 
> and filename that they could read the file.  Geoffrey tried it out and 
> found I was wrong.  Now, is there a way to have limited permissions on 
> a directory for groups or world and yet still have a security hole 
> where they could operate on a file within that directory that has 
> permissions allowing their access?  I've been busy and haven't had 
> much time to go searching for where I thought I saw the exploit but I 
> didn't want to let this go any longer.  Any comments?
>
> Here is what Geoffrey tried and sent me in his words:
>
> BEGIN----------------------------------
> I want to make sure that I understood what you said last night 
> regarding file/dir perms.  Correct me if I'm wrong, but you said that 
> if you did not have permissions to search a directory, you could still 
> view files in that directory if the file perms permitted such AND you 
> know the full path to the file?
>
> Here's my example:
>
> $ ls -la  foo
>
> total 36
> drwx------    2 esoteric esoteric     4096 Jun 21 14:51 ./
> drwx------  254 esoteric esoteric    28672 Jun 21 14:55 ../
> -rw-r--r--    1 esoteric esoteric        7 Jun 21 14:51 bar
>
> $ cat foo/bar
> foobar
>
> $ chmod 666 foo
>
> $ ls -ld foo
> drw-rw-rw-    2 esoteric esoteric     4096 Jun 21 14:51 foo/
>
> $ cat foo/bar
> cat: foo/bar: Permission denied
>
> Now the interesting thing is, it appears that 'cat' acknowledges the 
> file existence with the error message.  Because it appears to be 
> telling me I don't have permissions to read the file foo/bar.  But if 
> I try to list a non-existent file in the same way:
>
>
> $ cat foo/barr
> cat: foo/barr: Permission denied
>
> I get the same error.  Just the same, it does appear that you can not 
> read the file contents if you don't have search perms on the directory 
> where the file resides.
>
> In reality, I would expect the error message to say:
>
> cat: foo: directory access denied
>
> Or something along those lines.
> END------------------------------
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> should be sent to listmaster at ale dot org.
>
>


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list