[Gllug] File permissions

Bruce Richardson itsbruce at workshy.org
Wed Jun 30 14:12:55 UTC 2010


On Wed, Jun 30, 2010 at 02:36:43PM +0100, - wrote:
> On Wed, Jun 30, 2010 at 2:24 PM, Bruce Richardson <itsbruce at workshy.org> wrote:
> 
> >  1.  Only the root user can use chown to set the owning user.
> >  2.  Chown has to be used after the event.
> 
> Both true. But I did wonder if you could trigger the chown via
> inotify, which would probably achieve the desired effect.

You could, but it would potentially be very insecure. As I understand
it, adding an inotify watch to a file doesn't block any of the events in
its mask (thankfully!), so the file will initially be created with the
regular ownership and will have its ownership changed only once the
watching application responds to a notification event.  If the original
uid/gid has more privileges than the intended one, there's a window of
time to exploit that (and plenty of ways to lengthen the window).

-- 
Bruce

I unfortunately do not know how to turn cheese into gold.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20100630/b0c3f667/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list