Re: daemon checking permissions

From: Jukka Inkeri (sco@carelian.fi.removethis.com)
Date: 08/01/02 

From: Jukka Inkeri <sco@carelian.fi.removethis.com>
Date: Thu, 01 Aug 2002 11:36:38 GMT

> Why do you care about read or execute permissions? They don't make it
> vulnerable.
>
> You should check the ownership of the file. Otherwise, someone could
> replace the file with one of their own, assign it to a group that your
> daemon is in, set the permissions to 740, and it would pass your test.
>

And check also ownership and priv. of the directory.
Ex. if file securefile priv. is owner root, group root, and access ex.
r--------, this doesn't tell anything about priviledges to remove or
create file.
Ex. If directory priv. is drwxrwxr-x root:other and user belongs also
to group other, then user can do ex.

rm securefile
- edit securefile
chmod 400 securefile
chown root:root securefile

Now your securefile is okay (or not ...).

In some *NIX systems has extra security ex. with chown command, when you
can give file only to some, but not ex. for root.
But: system maybe check with cron registered files priviledges and
change those values as you like ...

So, check directory tree priviledges. Try to understand meaning of rwx
flag with specialfiletype directory.

Don't use ever command chmod 777 * in directory where you have
subdirectories. Try.

If you handling priviledges, handle regular file and directories separately.

-jukka-