Re: Basic Security question about directory path

[Devdas Bhagat <devdas () dvb homelinux org>]

On 27/07/05 18:12 -0700, John Earl wrote:
> This seems like a very basic security question, and I _believe_ I
> already know the answer, but I am in a debate with a large software
> company about what is the correct security requirement for a path
> prefix, so I'm looking for second opinions...
>
> The question is this;  In a standard Unix (or POSIX really) setup, what
> authority does a user require to traverse a directory path in order to
> read a file from a subdirectory?
>
> For example, if user "FRED" wishes to read file "myfile"
> from location "/dir1/dir2/" (so that the full path name is
> (/dir1/dir2/myfile"), should user "FRED" need just "x" access to the
> root and "dir1" or should user FRED need "rx" access to the root and
> "dir1".  The goal is both to read the contents of "myfile", but also to
> give the user the lowest amount of authority necessary to complete the
> task.

To be able to read the contents of the directory, you need the r bit
set. 
To be able to change to that directory, or its subdirectories, you
need x. 
To be able to create files in the directory, you need w.

So / needs 511, /dir1 needs 511, /dir1/dir2 needs 511, /dir1/dir2/myfile
needs 444. Keep in mind that you need additional permissions to be able
to do real work, and other programs might need even more access.

Devdas Bhagat