HPE Community
Operating System - HP-UX
1834925 Members
2537 Online
110071 Solutions
New Discussion

Re: directory permission?

 
SOLVED
Go to solution
Hanry Zhou
Super Advisor

‎09-05-2003 02:00 PM

‎09-05-2003 02:00 PM

directory permission?

If I have a directory called "maindir" with permission of 770, and underneath I have another one called "subdir" with permission of 777. Do I risk any sort of security/dangerous on the directory of "subdir" by the "world writable"?

Thanks,
none
0 Kudos
Reply
13 REPLIES 13
James R. Ferguson
Acclaimed Contributor

‎09-05-2003 02:07 PM

‎09-05-2003 02:07 PM

Re: directory permission?

Hi:

Yes, by granting write permissions, anyone can remove files in the directory. You can/should set the 'sticky' bit on the directory. This means that only the file's owner, or the directory's owner can remove the file:

# chmod 1777 subdir

Regards!

...JRF...
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎09-05-2003 02:28 PM

‎09-05-2003 02:28 PM

Re: directory permission?

James,

You are seem not right on this.

I did a little test, I can't remove "subdir" if I'm not part of the group, even though the permission of "subdir" is 777, because the "maindir" is 770
none
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎09-05-2003 02:37 PM

‎09-05-2003 02:37 PM

Re: directory permission?

No James is quite correct; you simply didn't understand.

Suppose that userA create a file /maindir/subdir/userA with permission 644.

Now if you want userB to be able to remove the file /maindir/subdir/user then make the permissions on subdir 777 BUT if you do not want someone other than userA to remove the file then you set the 'sticky' bit 1777.
If it ain't broke, I can fix that.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎09-05-2003 02:46 PM

‎09-05-2003 02:46 PM

Re: directory permission?

Hi (again) Hanry:

Setting the sticky bit on the directory prevents *files* in the directory that are not owned by the user attempting to remove them from being removed.

Regards!

...JRF...
0 Kudos
Reply
Hanry Zhou
Super Advisor

‎09-05-2003 05:03 PM

‎09-05-2003 05:03 PM

Re: directory permission?

James and Clay

I don't know if you don't understand what I described here, or I don't understand you two. I am sorry if it is later one.

I am only talking about the level of "maindir" and "subdir", /maindir/subdir, no third level of directories/files involved here.
Les's say the "maindir" is owned by userA:groupA, and the permission is "770". The "subdir" is also owned by userA:groupA, but permission is "777". So, in the citualtion like this, A user, say userB who is not part of groupA can't remove "subdir", even though it's permission is "777"! Am I right here?

My original question was, in this case as I desribed if there will be any dangerous for any subdirectories(with permission of 777) under "maindir"?

Thank you for your patient.
none
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-05-2003 05:18 PM

‎09-05-2003 05:18 PM

Solution

Re: directory permission?

Hi Henry,

There are two things here

1. If userB is not in the group as your maindir permissions, then userB cannot enter maindir. Removal of subdir comes next.

2. Also when it comes to directories, there is a slight change of rules here.

// Read the man page of rmdir Removal of a directory requires write and search
(execute) permission in its parent directory, but no permissions on
the directory itself; but if the sticky bit is set on the parent
directory, only the owner of the directory, the owner of the parent
directory, or a user having appropriate privileges can remove the
directory.//

So you may not be able to delete your subdir by above rules and your permissions. But if userB can enter into maindir then he/she can be able to delete files|dirs under subdir (though not subdir itself unless you gave full permissions to maindir), unless you setup sticky bit on it.

Hope it is clear to you.

-Sri






You may be disappointed if you fail, but you are doomed if you don't try
Reply
twang
Honored Contributor

‎09-05-2003 05:48 PM

‎09-05-2003 05:48 PM

Re: directory permission?

Hi Hanry,
If maindir's permission is 770, that means users other than the dir owner or same group member cannot enter the maindir directory or see the content of maindir.
They cannot remove or see subdir even its permission is 777, you may see a permission denied error when you try to remove the subdir in this case:
rm: cannot stat maindir/subdir: Permission denied

Hope it helps.
twang
Reply
Hanry Zhou
Super Advisor

‎09-05-2003 06:48 PM

‎09-05-2003 06:48 PM

Re: directory permission?

Sri,

We are talking now...

So, in another words, as long as I have permission 770 on maindir, I don't need to worry anybody else(other than root) being able to remove it's sub directories/files, even though these sub directores/files has permission of 777 on them?

none
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-05-2003 07:10 PM

‎09-05-2003 07:10 PM

Re: directory permission?

Hi Henry,

Well you still have to worry about the people in the group. Because they can do anything beneath maindir to the owner's files/directories. So, it is better to configure subdir with sticky bit. It doesn't hurt to keep sticky bit on that directory.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
twang
Honored Contributor

‎09-05-2003 07:30 PM

‎09-05-2003 07:30 PM

Re: directory permission?

Take a look at the following simple test:
logon system as user a,
a@rhost$ mkdir maindir
a@rhost$ chmod 770 maindir
a@rhost$ ll
total 0
drwxrwx--- 2 a dba 96 Sep 6 11:28 maindir
a@rhost$ cd maindir
a@rhost$ mkdir subdir
a@rhost$ chmod 777 subdir
a@rhost$ ll
total 0
drwxrwxrwx 2 ora dba 96 Sep 6 11:29 subdir


logon system as another user b,
$ cd /home/a
$ ls
maindir
$ ll
total 0
drwxrwx--- 3 ora dba 96 Sep 6 11:29 maindir
$ cd maindir
sh: maindir: Permission denied.
$ rm -r maindir/subdir
rm: cannot stat maindir/subdir: Permission denied

Reply
twang
Honored Contributor

‎09-05-2003 07:35 PM

‎09-05-2003 07:35 PM

Re: directory permission?

Add to above reply, the user a and b do not belong to the same group, if a and b are at the same group, b can access subdir because b can 'cd' into maindir and has full access right of subdir.
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-05-2003 07:51 PM

‎09-05-2003 07:51 PM

Re: directory permission?

Yes. Your test has proven what we said. Since userb does not belong to dba group, you couldn't enter maindir hence you cannot delete subdir.

However, if there is a user userC belongs to dba group, he/she can happily enter maindir directory and delete subdir as well the files under subdir. So protect maindir and subdir with sticky bit.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
twang
Honored Contributor

‎09-05-2003 08:15 PM

‎09-05-2003 08:15 PM

Re: directory permission?

Sridhar,
Completely agree with you! TO further protect subdir, we must set sticky bit.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.