amd64/154112: user can delete file witch owned by root:wheel

Holger Kipp holger.kipp at alogis.com
Tue Jan 18 21:25:53 UTC 2011 

Dear Ihor,
 
On January 18, 2011 at 9:10 PM Ihor R <kaba at goodnet.com.ua> wrote:

> The following reply was made to PR amd64/154112; it has been noted by GNATS.
>
> From: Ihor R <kaba at goodnet.com.ua>
> To: <bug-followup at FreeBSD.org>, <kaba at goodnet.com.ua>
> Cc: 
> Subject: Re: amd64/154112: user can delete file witch owned by root:wheel
> Date: Tue, 18 Jan 2011 21:27:23 +0200
>
>   On Tue, 18 Jan 2011 16:22:53 GMT, kib at FreeBSD.org wrote:
>  > User home directory is owned by user, right ?
>  > The system works as intended, read about unix file permission model.
> 
>   The home user directory is owned by user, but I quote don't understand
>   how I can provide hosting service for my users, if anybody user can
>   delete any files in his home directory. By example:
> 
>   if I want to block some resources, like site, by adding "deny from all"
>   to .htaccess and replace owner of this file to root:wheel. User can not
>   change this file (rewrite) but he can delete this file any time he wish
>   - and the site will go on to work and can make some steps to damage
>   server.
> 
>   Can you please explain me how can I get back to Unix where users can't
>   delete file which they not own. What steps I need to do to solve current
>   problem.
>   I need that users can't change or delete files, that users not own,
>   anyway it's (files) placed.
 
It seems you really don't understand the concept of unix file permissions.
It has been around for ages and imho is as good as it can be.
 
As you also mention .htaccess-files, this is another issue. Looking at
apache documentation, you'll find that these files should not be used
unless you _want_ your users to use them:
 
See http://httpd.apache.org/docs/2.2/howto/htaccess.html#when
 
You might want to rework your current concept of hosting and permissions
 
Apart from that, this is not a http/apache forum, so this is actually
the wrong mailing list :-(

Best regards,
Holger
-- 

Holger Kipp
Diplom-Mathematiker
Senior Consultant

 
 Tel. : +49 30 436 58 114
 Mobil: +49 178 36 58 114
 Fax. : +49 30 436 58 214
 Email: holger.kipp at alogis.com
 alogis AG
 Alt-Moabit 90b
 D-10559 Berlin
  
 web : http://www.alogis.com
----------------------------------------------------------
 alogis AG
 Sitz/Registergericht: Berlin/AG Charlottenburg, HRB 71484
 Vorstand: Arne Friedrichs, Joern Samuelson
 Aufsichtsratsvorsitzender: Reinhard Mielke

More information about the freebsd-amd64 mailing list