Security Basics mailing list archives
Re: Basic Security question about directory path
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 29 Jul 2005 20:21:07 +0200
On 2005-07-27 John Earl wrote:
This seems like a very basic security question, and I _believe_ I already know the answer, but I am in a debate with a large software company about what is the correct security requirement for a path prefix, so I'm looking for second opinions... The question is this; In a standard Unix (or POSIX really) setup, what authority does a user require to traverse a directory path in order to read a file from a subdirectory? For example, if user "FRED" wishes to read file "myfile" from location "/dir1/dir2/" (so that the full path name is (/dir1/dir2/myfile"), should user "FRED" need just "x" access to the root and "dir1" or should user FRED need "rx" access to the root and "dir1". The goal is both to read the contents of "myfile", but also to give the user the lowest amount of authority necessary to complete the task.
As long as he has "r" access to "myfile", "x" access to all directories (even dir2) will suffice. The user doesn't need to be able to read a directory in order to traverse it. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: Basic Security question about directory path Devdas Bhagat (Aug 01)
- <Possible follow-ups>
- Re: Basic Security question about directory path Ansgar -59cobalt- Wiechers (Aug 01)
- RE: Basic Security question about directory path Samuel R. Baskinger (Aug 01)