negative group permissions?
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Feb 24 09:34:08 UTC 2012
On 24/02/2012 09:08, Anton Shterenlikht wrote:
> Recently I started seeing this line
> in daily security output:
>
> Checking negative group permissions:
> 70834 -rw-r----x 1 root daemon 4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq
>
> I've a parallel printer attached to
> a 9.9-CURRENT #2 r230787M box.
>
> What does it mean?
This means that non-root users in group daemon have only read
permissions on that file. Users that aren't root and that aren't in
group daemon have execute permission only.
It does look a bit odd, and I believe that file would just contain a job
number (IIRC -- haven't dealt much with lpd or lprng much recently)
so executing it doesn't really achieve anything.
This is the standard idiom to allow access for 'everyone, except members
of a particular group.'
One way you can get weird permissions is if you happen to use decimal
for permissions bitmaps rather than octal. A umask of '77' is not the
same thing at all as a umask of '077'. (It's effectively 0115, which
doesn't make much sense to me.) Most shells nowadays will assume you
mean octal whether you include the leading zero or not: the same is not
true if you use umask(2) to set the mask programatically. Ditto for
other places you can set permissions like open(2) with O_CREAT or mkdir(2).
> Should I be worried?
No more than a normal level of paranoia is indicated here.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120224/0880a986/signature.pgp
More information about the freebsd-questions
mailing list