| 1 |
> Wrong, if a user has +w mode to a directory they can forcefully remove |
| 2 |
a |
| 3 |
> file. Try it |
| 4 |
> |
| 5 |
> $ cd |
| 6 |
> $ touch -m 440 testme |
| 7 |
> $ sudo chown root:root testme |
| 8 |
> $ rm testme |
| 9 |
|
| 10 |
I don't know what kind of touch you use, but mine doesn't set the mode |
| 11 |
with -m |
| 12 |
|
| 13 |
[felix@firebox](/tmp/testdir)|11:28:16|> touch --help | grep '\-m' |
| 14 |
-m change only the modification time |
| 15 |
|
| 16 |
on the other hand, you are changing to your homedirecotry where u |
| 17 |
propably have +x on that directory. In that case you can even delete |
| 18 |
files without any permissions |
| 19 |
|
| 20 |
[felix@firebox](/tmp/testdir)|11:30:43|> touch testfile; chmod 000 |
| 21 |
testfile |
| 22 |
[felix@firebox](/tmp/testdir)|11:30:54|> ls -la testfile |
| 23 |
---------- 1 felix users 0 Jul 29 11:30 testfile |
| 24 |
[felix@firebox](/tmp/testdir)|11:30:57|> rm -f testfile |
| 25 |
[felix@firebox](/tmp/testdir)|11:31:00|> ls -la |
| 26 |
total 6 |
| 27 |
drwx------ 2 felix root 48 Jul 29 11:31 . |
| 28 |
drwxrwxrwt 179 root root 6432 Jul 29 11:29 .. |
| 29 |
[felix@firebox](/tmp/testdir)|11:31:02|> |
| 30 |
|
| 31 |
so you won't get far with setting restricted permissions in your |
| 32 |
homedirectory. Or create a group, put that emerge-user in that group, |
| 33 |
give that group access to the home-direcotry of the emerge user (read |
| 34 |
and execute => 750) and give the home-directory itself to root. If you |
| 35 |
do that you 440-strategy will work, but you won't be able to drop files |
| 36 |
in your homedirectory by yourself. |
| 37 |
|
| 38 |
> |
| 39 |
> Game over. :) |
| 40 |
|
| 41 |
Extra Life |
| 42 |
|
| 43 |
-fe |
| 44 |
|
| 45 |
-- |
| 46 |
gentoo-security@g.o mailing list |
Archives