https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518917#M23311 Here is a test I have run as an "normal" user that seems to be a little troublesome:<BR /><BR />touch test<BR />chgrp root test<BR /><BR />Should it allow me to change the group to root if this user is not part of that group? Thu, 19 Apr 2001 12:55:33 GMT Eric Pullen 2001-04-19T12:55:33Z https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518917#M23311 Here is a test I have run as an "normal" user that seems to be a little troublesome:<BR /><BR />touch test<BR />chgrp root test<BR /><BR />Should it allow me to change the group to root if this user is not part of that group? Thu, 19 Apr 2001 12:55:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518917#M23311 Eric Pullen 2001-04-19T12:55:33Z https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518918#M23312 Hi,<BR />if you create a file you have full control of that file. You can make it readable/writable/executable to whoever you want. You can change the group to each existing group.<BR />You can even change the owner of the file, but then you loose control ;)<BR /><BR />regards,<BR />Thierry. Thu, 19 Apr 2001 13:00:08 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518918#M23312 Thierry Poels_1 2001-04-19T13:00:08Z https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518919#M23313 Your MAC - Mandatory access controls -- allow you, as the owner to change all permissions on the file except ownership. Your DAC -- discretionary access controls, are up to you...<BR /><BR />for a safe(R!!) environment particularly WRT WWW, FTP etc, one should change the DAC attributes of a file. IE: for a file index.html, one could allow creation user the rights to change said file, however, for REAL security, give only the SU the right and group the R-X to the file, thus<BR />----r-x--- root:www (create_date) index.html<BR /><BR />Thus the DAC is sorted. For even safer HTML, leave as 040, rather than 050, but if the file is EXE then one will need the 050.<BR />MND Thu, 19 Apr 2001 14:01:26 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518919#M23313 Marc Dijkstra 2001-04-19T14:01:26Z https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518920#M23314 Just reread what I wrote, and yep, big booger.... the owner CAN change the ownership of the file, and that, for security reasons WRT www, ftp etc. is a good idea...<BR /><BR />My mantra:<BR />MAC<BR />DAC<BR />authorisation... (hello Virtual vault)<BR /><BR />Works a treat.<BR />MND Thu, 19 Apr 2001 14:09:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518920#M23314 Marc Dijkstra 2001-04-19T14:09:21Z https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518921#M23315 What Thierry said is correct. Remember that changing the group on a file does not grant the owner of the file, or anyone else who might read/write/execute the file, any additional privileges. If a user created a file, then changed permissions to 777, then changed the group to root and then the owner to root, the user would still have rwx to the file, but (assuming the file is executable) if they execute the file it will still run with their access privileges, so it won't be a security breach. Also, if the owner is changed, then the user won't be able to re-change the owner, group, permissions, etc. so they'll be stuck.<BR /><BR />The thing you'd want to watch for is if you have executables somewhere run by superusers/system that had a user as the owner... Fri, 20 Apr 2001 12:45:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-on-machine-and-chgrp/m-p/2518921#M23315 Andrew Maslin 2001-04-20T12:45:47Z