Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Basic Security question about directory path

From: "Samuel R. Baskinger" <sbaskinger () lumeta com>
Date: Fri, 29 Jul 2005 14:39:48 -0400
Every system I know if has dir1 --x--x--x, dir2 as --x--x--x and the
file as r--r--r--. I seem to remember some implementations which
wouldn't let you read a file if you couldn't read a directory's
contents, the logic being that someone could launch an inference attack
of some sort. 

Go fig. :)

Sam 

-----Original Message-----
From: John Earl [mailto:john.earl () powertech com] 
Sent: Wednesday, July 27, 2005 9:12 PM
To: security-basics () lists securityfocus com
Subject: Basic Security question about directory path


This seems like a very basic security question, and I _believe_ I
already know the answer, but I am in a debate with a large software
company about what is the correct security requirement for a path
prefix, so I'm looking for second opinions...

The question is this;  In a standard Unix (or POSIX really) setup, what
authority does a user require to traverse a directory path in order to
read a file from a subdirectory?

For example, if user "FRED" wishes to read file "myfile"
from location "/dir1/dir2/" (so that the full path name is
(/dir1/dir2/myfile"), should user "FRED" need just "x" access to the
root and "dir1" or should user FRED need "rx" access to the root and
"dir1".  The goal is both to read the contents of "myfile", but also to
give the user the lowest amount of authority necessary to complete the
task.

Any insight you have on this would be greatly appreciated.

Thank You,


jte


--
John Earl 
The PowerTech Group
Seattle, WA 
www.powertech.com 
 

 
This email message and any attachments are intended only for the use of
the intended recipients and may contain information that is privileged
and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message, or by telephone, and delete
the message from your email system.
--
Previous By Date Next
Previous By Thread Next

Current thread: