permissions

permissions

Post by Mike Mccla » Tue, 20 Feb 2001 05:04:22



Howdy All,
    I thought I had permissions down, but guess I don't
because I don't know why this is happening on my
Slackware 7.0 system.
As a security precaution I recently changed permissions
on /mc a data partition to 600. Now I'm getting this warning
in the mail:



Subject: cron: cd / ; updatedb --prunepaths='/proc /tmp /solaris /deb'

find: /mc: Permission denied

Permissions of the pertinent files given by 'ls -l' are:
drw-------   7 root     root    /mc
-rwxr-xr-x   1 root     bin     /usr/sbin/crond
-rwxr-xr-x   1 root     bin     /usr/bin/updatedb
-rw-------   1 root     root    /var/spool/cron/crontabs/nobody

Since it's all owned by root, why the denial?

TIA,
MiKe

--- MultiMail/Linux v0.31

 
 
 

permissions

Post by Mark Po » Tue, 20 Feb 2001 05:18:43




>Howdy All,
>    I thought I had permissions down, but guess I don't
>because I don't know why this is happening on my
>Slackware 7.0 system.
>As a security precaution I recently changed permissions
>on /mc a data partition to 600. Now I'm getting this warning
>in the mail:


>Subject: cron: cd / ; updatedb --prunepaths='/proc /tmp /solaris /deb'
>find: /mc: Permission denied
>Permissions of the pertinent files given by 'ls -l' are:
>drw-------   7 root     root    /mc
>-rwxr-xr-x   1 root     bin     /usr/sbin/crond
>-rwxr-xr-x   1 root     bin     /usr/bin/updatedb
>-rw-------   1 root     root    /var/spool/cron/crontabs/nobody
>Since it's all owned by root, why the denial?

Because on Slackware systems, updatedb runs as 'nobody,' not root.  (For
that matter, I don't know any distribution that runs updatedb as anything
other than 'nobody.')

Mark Post

Postmodern Consulting
Information Technology and Systems Management Consulting
To send me email, replace 'nospam' with 'home'.

 
 
 

permissions

Post by Jean-David Beye » Tue, 20 Feb 2001 07:41:27





> >Howdy All,
> >    I thought I had permissions down, but guess I don't
> >because I don't know why this is happening on my
> >Slackware 7.0 system.
> >As a security precaution I recently changed permissions
> >on /mc a data partition to 600. Now I'm getting this warning
> >in the mail:



> >Subject: cron: cd / ; updatedb --prunepaths='/proc /tmp /solaris /deb'

> >find: /mc: Permission denied

> >Permissions of the pertinent files given by 'ls -l' are:
> >drw-------   7 root     root    /mc
> >-rwxr-xr-x   1 root     bin     /usr/sbin/crond
> >-rwxr-xr-x   1 root     bin     /usr/bin/updatedb
> >-rw-------   1 root     root    /var/spool/cron/crontabs/nobody

> >Since it's all owned by root, why the denial?

> Because on Slackware systems, updatedb runs as 'nobody,' not root.  (For
> that matter, I don't know any distribution that runs updatedb as anything
> other than 'nobody.')

Here's one: VA Linux Systems' version of Red Hat Linux 6.2 (VA
6.2.3):

valinux:jdbeyer[~]$ ls -l /usr/bin/updatedb
lrwxrwxrwx    1 root     slocate         7 Jan 22 18:03
/usr/bin/updatedb -> slocate
valinux:jdbeyer[~]$ ls -l /usr/bin/slocate  
-rwxr-sr-x    1 root     slocate     20880 Dec 18 12:16
/usr/bin/slocate
valinux:jdbeyer[~]$

--
 .~.  Jean-David Beyer           Registered Linux User 85642.
 /V\                             Registered Machine    73926.
/( )\ Shrewsbury, New Jersey
^^-^^ 5:35pm up 21 days, 2:02, 4 users, load average: 2.04, 2.06,
2.09

 
 
 

permissions

Post by Mark Bratch » Tue, 20 Feb 2001 07:51:53



>Howdy All,
>    I thought I had permissions down, but guess I don't
>because I don't know why this is happening on my
>Slackware 7.0 system.
>As a security precaution I recently changed permissions
>on /mc a data partition to 600. Now I'm getting this warning
>in the mail:



>Subject: cron: cd / ; updatedb --prunepaths='/proc /tmp /solaris /deb'

>find: /mc: Permission denied

>Permissions of the pertinent files given by 'ls -l' are:
>drw-------   7 root     root    /mc
>-rwxr-xr-x   1 root     bin     /usr/sbin/crond
>-rwxr-xr-x   1 root     bin     /usr/bin/updatedb
>-rw-------   1 root     root    /var/spool/cron/crontabs/nobody

>Since it's all owned by root, why the denial?

Perhaps because you made the directory /mc not executable (browsable) by
_anyone_ including the owner? Also, does "nobody" have root permission?

--
Mark Bratcher
To reply direct, remove both underscores (_) from my email name
---------------------------------------------------------------
Escape from Microsoft's proprietary tentacles: use Linux!

 
 
 

permissions

Post by Mark Po » Tue, 20 Feb 2001 11:11:42





-snip-
>>(For
>> that matter, I don't know any distribution that runs updatedb as anything
>> other than 'nobody.')
>Here's one: VA Linux Systems' version of Red Hat Linux 6.2 (VA
>6.2.3):
>valinux:jdbeyer[~]$ ls -l /usr/bin/updatedb
>lrwxrwxrwx    1 root     slocate         7 Jan 22 18:03
>/usr/bin/updatedb -> slocate
>valinux:jdbeyer[~]$ ls -l /usr/bin/slocate  
>-rwxr-sr-x    1 root     slocate     20880 Dec 18 12:16
>/usr/bin/slocate
>valinux:jdbeyer[~]$

This doesn't mean that the updatedb job runs as root, just that the
executable is suid.  I've seen systems that start updatedb and specify what
uid it should be run with, and that is usually 'nobody.'

Mark Post

Postmodern Consulting
Information Technology and Systems Management Consulting
To send me email, replace 'nospam' with 'home'.

 
 
 

permissions

Post by Jean-David Beye » Tue, 20 Feb 2001 21:31:04






> -snip-
> >>(For
> >> that matter, I don't know any distribution that runs updatedb as anything
> >> other than 'nobody.')

> >Here's one: VA Linux Systems' version of Red Hat Linux 6.2 (VA
> >6.2.3):

> >valinux:jdbeyer[~]$ ls -l /usr/bin/updatedb
> >lrwxrwxrwx    1 root     slocate         7 Jan 22 18:03
> >/usr/bin/updatedb -> slocate
> >valinux:jdbeyer[~]$ ls -l /usr/bin/slocate
> >-rwxr-sr-x    1 root     slocate     20880 Dec 18 12:16
> >/usr/bin/slocate
> >valinux:jdbeyer[~]$

> This doesn't mean that the updatedb job runs as root, just that the
> executable is suid.  I've seen systems that start updatedb and specify what
> uid it should be run with, and that is usually 'nobody.'

Well, unless I misunderstand you, mine does not run as suid root; it
runs as sgid slocate.

--
 .~.  Jean-David Beyer           Registered Linux User 85642.
 /V\                             Registered Machine    73926.
/( )\ Shrewsbury, New Jersey
^^-^^ 7:30am up 21 days, 15:57, 4 users, load average: 2.19, 2.15,
2.10

 
 
 

permissions

Post by Mike Mccla » Wed, 21 Feb 2001 15:04:40


Howdy,
    I'm sorry I don't understand the connection between executable
and browsable. To me browsable means readable, NO? /mc can certainly
be read by root.
I have no idea what permissions "nobody" runs with. How do I tell?
And are you saying that /var/spool/cron/crontabs/nobody runs with
user "nobody" permissions rather than with root permissions?
TIA,
Mike


 >Since it's all owned by root, why the denial?
 >

 _M> Perhaps because you made the directory /mc not executable (browsable)
 _M> by _anyone_ including the owner? Also, does "nobody" have root
 _M> permission?

 _M> Mark Bratcher

--- MultiMail/Linux v0.31

 
 
 

permissions

Post by Peter T. Breue » Wed, 21 Feb 2001 15:46:23



>     I'm sorry I don't understand the connection between executable
> and browsable. To me browsable means readable, NO? /mc can certainly

No .. no exactly.

But I agree, people have largely forgotten the difference, and
it's not clear if the distinction is currently correctly implemented.
If a directory is browsable "x", then you can ls -l on any *named*
directory entry, i.e. "ls -l dir/foo", but can't do "ls -l dir".
For the latter the directory must be readable "r".

OTOH, if it's +r only, then you can't cd into it. It needs to be
+x for that, but you won't be able to see anything when you're in it
unless you know what you're looking for.

Think of the directory as a file with a list of filenames.

Quote:> be read by root.
> I have no idea what permissions "nobody" runs with. How do I tell?

nobody *runs with* permissions of any kind. Nobody in particular has
none! But people do *have* permissions depending on what groups they're
in.

Quote:> And are you saying that /var/spool/cron/crontabs/nobody runs with
> user "nobody" permissions rather than with root permissions?

Of course. It runs as nobody.

Quote:>  _M> Perhaps because you made the directory /mc not executable (browsable)
>  _M> by _anyone_ including the owner? Also, does "nobody" have root
>  _M> permission?

I'm not sure what he meant by the last sentence. Perhaps he was
asking if nobody is a member of wheel ;-), or if the cronjob runs
a setuid root executable. Probably the latter.

Peter

 
 
 

permissions

Post by spi.. » Thu, 22 Feb 2001 00:16:25



Quote:> find: /mc: Permission denied
> Permissions of the pertinent files given by 'ls -l' are:
> drw-------   7 root     root    /mc

Directories cannot be read without the execute bit set.
chmod 700 /mc

--
______________________________________________________________________________

|Andrew Halliwell BSc(hons)| "The day Microsoft makes something that doesn't |
|            in            |  suck is probably the day they start making     |
|     Computer science     |  vacuum cleaners" - Ernst Jan Plugge            |
------------------------------------------------------------------------------

 
 
 

permissions

Post by Drew Roedersheim » Thu, 22 Feb 2001 07:53:49




>> find: /mc: Permission denied

>> Permissions of the pertinent files given by 'ls -l' are:
>> drw-------   7 root     root    /mc

>Directories cannot be read without the execute bit set.
>chmod 700 /mc

>--
>______________________________________________________________________________

>|Andrew Halliwell BSc(hons)| "The day Microsoft makes something that doesn't |
>|            in            |  suck is probably the day they start making     |
>|     Computer science     |  vacuum cleaners" - Ernst Jan Plugge            |
>------------------------------------------------------------------------------

The _list_ of files in a directory can be read without the execute bit set.  
However, without the execute bit, one cannot actually do anything with said
files.  An example:

chmod 444 doc/
cat doc/(double TAB in Bash)
*gives*

LFS-BOOK-INTEL-2.4.3.ps  resume-example.pdf       sample.muttrc
*                   resume.asc               script.pdf
beowulf.doc              resume.doc               ubench.log
cousinlove.doc           resume.html              underground.txt
gpg_man.pdf              resume.ps                unix.eps
host-detection.pdf       resume.sty               vimguide.ps
ids.pdf                  resume.tex.example       work

However, if you try `cat doc/resume.asc` (or try to cd into doc, of course)
you'll get:
cat: doc/resume.asc: Permission denied

The m*of the story is, the directory without execute permissions is pretty
much worthless unless you want to simply read what files are present in the
directory.  Of course, you probably already knew that...  Just my $0.02.

-DR

 
 
 

permissions

Post by Mike Mccla » Thu, 22 Feb 2001 09:04:25


Howdy Spike,
 Would you care to qualify that statement?
rh6:~> ls -l /mc
total 147930
drwx------   7 root     root         2048 Feb 15 19:19 bin
drwx------   9 root     root         2048 Feb  6 14:21 dld_pkgs
drwx------  43 root     root         3072 Feb 11 10:01 docs
drwxr-xr-x   2 root     root        12288 Mar 11  2000 lost+found
drwx------   5 root     root         1024 Sep 16 12:20 mail
Thanks for the suggestion, I'll try setting the x bit and
see what happens.
MiKe



 > find: /mc: Permission denied

 > Permissions of the pertinent files given by 'ls -l' are:
 > drw-------   7 root     root    /mc

 SP> Directories cannot be read without the execute bit set.
 SP> chmod 700 /mc

--- MultiMail/Linux v0.31

 
 
 

1. Permission Woes - can't add write permission

I am trying to have Netscape use the Mail folder on one of my DOS
partitions, so as to keep all the mail in one place. This works fine for
root, but as a user Netscape can't do this because the user lacks write
permission for the file. Not surprising so far, but no matter what I
try, I can't add write permission for this set of files for "anyone" but
the owner, root. I have fooled around with groups and alternate users,
tried the graphical permission, console 'chmod', but nothing ever
changes. I never get any errors, just no result. I found a place to
change root's ability to make changes from 700 and put 777 just to see,
but even then, nothing. How can it be that root can write to these
files, but cannot bestow permission on "anyone" else?

Sent via Deja.com http://www.deja.com/
Before you buy.

2. relation between iptables and webmin's Linux firewall

3. Is it possible to have execute permissions without read permissions?

4. Dennis Ritchie -- He Created Unix, But Now Uses Microsoft Windows

5. How to reset permissions on file with no read permissions

6. How to dynamically establish and/or release a ppp connection

7. Do group permissions always override permissions for other (both more and less restrictive)?

8. gcc-2.7.2 package problem with protoize?

9. file permissions/permission execution

10. how to set file permission for a vfat partition

11. resetting permission through script.

12. NFS, NIS and file permissions

13. file permissions PLEASE HELP