1 |
> Wrong, if a user has +w mode to a directory they can forcefully remove |
2 |
a |
3 |
> file. Try it |
4 |
> |
5 |
> $ cd |
6 |
> $ touch -m 440 testme |
7 |
> $ sudo chown root:root testme |
8 |
> $ rm testme |
9 |
|
10 |
I don't know what kind of touch you use, but mine doesn't set the mode |
11 |
with -m |
12 |
|
13 |
[felix@firebox](/tmp/testdir)|11:28:16|> touch --help | grep '\-m' |
14 |
-m change only the modification time |
15 |
|
16 |
on the other hand, you are changing to your homedirecotry where u |
17 |
propably have +x on that directory. In that case you can even delete |
18 |
files without any permissions |
19 |
|
20 |
[felix@firebox](/tmp/testdir)|11:30:43|> touch testfile; chmod 000 |
21 |
testfile |
22 |
[felix@firebox](/tmp/testdir)|11:30:54|> ls -la testfile |
23 |
---------- 1 felix users 0 Jul 29 11:30 testfile |
24 |
[felix@firebox](/tmp/testdir)|11:30:57|> rm -f testfile |
25 |
[felix@firebox](/tmp/testdir)|11:31:00|> ls -la |
26 |
total 6 |
27 |
drwx------ 2 felix root 48 Jul 29 11:31 . |
28 |
drwxrwxrwt 179 root root 6432 Jul 29 11:29 .. |
29 |
[felix@firebox](/tmp/testdir)|11:31:02|> |
30 |
|
31 |
so you won't get far with setting restricted permissions in your |
32 |
homedirectory. Or create a group, put that emerge-user in that group, |
33 |
give that group access to the home-direcotry of the emerge user (read |
34 |
and execute => 750) and give the home-directory itself to root. If you |
35 |
do that you 440-strategy will work, but you won't be able to drop files |
36 |
in your homedirectory by yourself. |
37 |
|
38 |
> |
39 |
> Game over. :) |
40 |
|
41 |
Extra Life |
42 |
|
43 |
-fe |
44 |
|
45 |
-- |
46 |
gentoo-security@g.o mailing list |