HPE Community
Operating System - HP-UX
1832379 Members
2851 Online
110041 Solutions
New Discussion

Re: Security on machine and chgrp

 
Eric Pullen
Occasional Contributor

‎04-19-2001 05:55 AM

‎04-19-2001 05:55 AM

Security on machine and chgrp

Here is a test I have run as an "normal" user that seems to be a little troublesome:

touch test
chgrp root test

Should it allow me to change the group to root if this user is not part of that group?
0 Kudos
Reply
4 REPLIES 4
Thierry Poels_1
Honored Contributor

‎04-19-2001 06:00 AM

‎04-19-2001 06:00 AM

Re: Security on machine and chgrp

Hi,
if you create a file you have full control of that file. You can make it readable/writable/executable to whoever you want. You can change the group to each existing group.
You can even change the owner of the file, but then you loose control ;)

regards,
Thierry.
All unix flavours are exactly the same . . . . . . . . . . for end users anyway.
0 Kudos
Reply
Marc Dijkstra
Trusted Contributor

‎04-19-2001 07:01 AM

‎04-19-2001 07:01 AM

Re: Security on machine and chgrp

Your MAC - Mandatory access controls -- allow you, as the owner to change all permissions on the file except ownership. Your DAC -- discretionary access controls, are up to you...

for a safe(R!!) environment particularly WRT WWW, FTP etc, one should change the DAC attributes of a file. IE: for a file index.html, one could allow creation user the rights to change said file, however, for REAL security, give only the SU the right and group the R-X to the file, thus
----r-x--- root:www (create_date) index.html

Thus the DAC is sorted. For even safer HTML, leave as 040, rather than 050, but if the file is EXE then one will need the 050.
MND
"A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila"
0 Kudos
Reply
Marc Dijkstra
Trusted Contributor

‎04-19-2001 07:09 AM

‎04-19-2001 07:09 AM

Re: Security on machine and chgrp

Just reread what I wrote, and yep, big booger.... the owner CAN change the ownership of the file, and that, for security reasons WRT www, ftp etc. is a good idea...

My mantra:
MAC
DAC
authorisation... (hello Virtual vault)

Works a treat.
MND
"A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila"
0 Kudos
Reply
Andrew Maslin
Frequent Advisor

‎04-20-2001 05:45 AM

‎04-20-2001 05:45 AM

Re: Security on machine and chgrp

What Thierry said is correct. Remember that changing the group on a file does not grant the owner of the file, or anyone else who might read/write/execute the file, any additional privileges. If a user created a file, then changed permissions to 777, then changed the group to root and then the owner to root, the user would still have rwx to the file, but (assuming the file is executable) if they execute the file it will still run with their access privileges, so it won't be a security breach. Also, if the owner is changed, then the user won't be able to re-change the owner, group, permissions, etc. so they'll be stuck.

The thing you'd want to watch for is if you have executables somewhere run by superusers/system that had a user as the owner...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.