[ale] Permission hell question

Stephan Uphoff ups at tree.com
Wed Jun 30 17:15:03 EDT 2004 

Geoffrey wrote:
> Stephan Uphoff wrote:
> > This is true for Unix and BSD ... but I have never looked at this part 
> > of the Linux sources.

Yes - this is not true for Linux.
Your results show it and I also got curious and finally looked at the sources.

In BSD and Unix the file system specific code checks the access rights
during the lookup operation.
In Linux the file system specific lookup does not check the access rights.
( This is done by a separate call) 

This allows Linux to check the access right of the root of the mounted
file system and then call lookup for ".." on the covered directory.

I would still not recommend making a habit of it since it can bite you
on non linux systems.


Thanks for the tests

	Stephan


Geoffrey wrote:
> Stephan Uphoff wrote:
> 
> > The permissions of the covered mount point usually only come into play
> > when accessing ".." from the root of the mounted fs.
> > 
> > This is true for Unix and BSD ... but I have never looked at this part 
> > of the Linux sources.
> > 
> > As a normal user try to
> > 	cd /mnt/memstick  #OK
> > 	pwd               #Fails unless cached by shell
> > 	ls ..             #Should fail
> > 
> > with /mnt/memstick permission set to 700 and user root.
> 
> I don't agree, note the following, all done as a normal user:
> 
> /home/esoteric> cd /mnt/memstick
> ksh: cd: /mnt/memstick - Permission denied
> 
> rhws/home/esoteric> ls -l /mnt/memstick
> ls: /mnt/memstick: Permission denied
> 
> rhws/home/esoteric> ls -ld /mnt/memstick
> drwx------    2 root     root         4096 May 12 13:59 /mnt/memstick
> 
> rhws/home/esoteric> cd /mnt/memstick
> ksh: cd: /mnt/memstick - Permission denied
> 
> rhws/home/esoteric> mount /mnt/memstick
> 
> rhws/home/esoteric> cd /mnt/memstick
> 
> rhws/mnt/memstick> pwd
> /mnt/memstick
> 
> rhws/mnt/memstick> ls ..
> cdrom  floppy  jump  memstick
> 
> So, I don't believe your point above is valid.
> 
> > It is not really necessary to have matching permissions - but the wrong set
> > of permissions can cause interesting problems in a production environment.
> 
> If the mount options are correct, the permissions on the mount point do 
> not matter.  I set the perms on /mnt/memstick to 000 as root:
> 
> d---------    2 root     root         4096 May 12 13:59 /mnt/memstick
> 
> I can still mount the partition as a normal user.  When I do, the perms are:
> 
> drwxr-xr-x    3 esoteric users       16384 Dec 31  1969 /mnt/memstick
> 
> -- 
> Until later, Geoffrey                     Registered Linux User #108567
> Building secure systems in spite of Microsoft
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

More information about the Ale mailing list