Jan Grant wrote:
> On Sun, 7 Apr 2002, [ISO-8859-2] Paweł Jakub Dawidek wrote:
> > What do You think about this patch?
> > This can help non-root applications like apache etc.
> > For example when I got access to many files from many groups when attacker
> > will exploit this application he got access to all files, coz there is no
> > way to setgroups() if I am non-root and maybe only demon needs access to all
> > files - child needs only access to files owned by one group.
>
> This breaks the (rare) case of using group membership for negative
> access control.
Specifically "exclusion groups", e.g.:
# don't let bob use "ls"...
cat >> /etc/group
nols:*:200:bob
chgrp nols /bin/ls
chmod g= /bin/ls
This works because permissions are checked in owner/group/world
order, and because you cannot drop group membership, if you are
not the owner (root), then membership in the group "nols" denies
you access to the file, even though world access otherwise
remains.
There are also programs that explicitly deny access based on
group membership, by internally asking to see what groups you
are in, and denying access on that basis.
This is how a number of "games wrappers" and similar programs
function.
-- Terry
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
