Negative permissions WITHOUT ACLs

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello, if someone can answer this question you make a lot of Uppsala
University students happy.

Here goes: How do you specify negative permission=B9 in Unix/Linux
without using ACLs?

=B9E.g. saying that the user "Ellen" should not have write access to a
file regardless of the permissions given to her groups.

Re: Negative permissions WITHOUT ACLs

Quoted text here. Click to load it

You find something that fills the same role as an ACL but which
someone has called something different.

In some cases, you -might- be able to work something out with
exclusive mandatory locking and file access monitoring capabilities,
to have a program which checked to see who was trying to do the
access and refused to give up control if it was the "wrong" person.
But this would be difficult to do at all without using a device

You could use a loadable driver to put the file into your own
filesystem that did whatever permission enforcement you wanted.

You could put the file into an NFS filesystem that specified a
userid map that mapped Ellen's access to "nobody". You -might- be
able to do that with a loop-back filesystem, mounting the
file into a point on the tree that could be reached by everyone,
when the real file resided inside a fully-protected directory.

Re: Negative permissions WITHOUT ACLs

Starfish wrote:
Quoted text here. Click to load it

You don't.  That's why they invented ACLs, because standard
UNIX permissions can't do that sort of thing.

             Christopher Mattern

"Which one you figure tracked us?"
"The ugly one, sir."
"...Could you be more specific?"

Re: Negative permissions WITHOUT ACLs

Chris Mattern wrote:

Quoted text here. Click to load it

Actually Unix permissions are a very restricted implementation of ACLs with
owner-user, owner-group, three fixed entries (owner, group, others) and
three permissions (read, write, exec). Yeah, you may add some bits, but
that's generally how it works.

And such a scenario as above can even be achieved with Unix permissions: by
creating a new group that excludes Ellen, changing the owner-group of the
file accordingly and not allowing write access to others.

The obvious problem is management overhead, inflexibility and especially
state explosion (you generally need as many groups as files if they all
have different permissions). And that's why unrestricted ACLs are more

Re: Negative permissions WITHOUT ACLs

Quoted text here. Click to load it

Make ellen the owner of the file, and omit the write permission from the
owner, i.e.

chown ellen filename
chmod o-w filename

However, a problem with this is that since ellen is the owner, she can
change the permissions and give herself write permissions.  So this is
really only useful as a safety net, or in restricted environments where
users don't have access to the chmod command (e.g. it can be useful on
FTP servers -- you can create an anonymous upload directory where the
anonymous userid doesn't have any permissions to the files they've

Barry Margolin,
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: Negative permissions WITHOUT ACLs

Quoted text here. Click to load it

You can't.

Use groups. Do not add Ellen to that group, which has the rights.

Viel schlimmer als die Implementation von PHP ist jedoch das Design.

                              Rudolf Polzer in

Re: Negative permissions WITHOUT ACLs

Quoted text here. Click to load it

On my machine, I am the only member of group "buhr".  If there's a
file, owned by anyone besides "buhr", with the following permissions:

-rw----r--  1 root buhr      5 2006-10-12 11:56 buhr_cant_access

then everyone can read it except me.

Unfortunately, the standard Unix permissions system hasn't really been
designed with this usage kept clearly in mind, so there may be ways
for users to manipulate their effective, real, and supplementary group
memberships (with the help of bugs in setgid programs, perhaps) in
such a way as to drop group membership and work around the protection.

Also, at least one easy attack comes to mind: hard links made to the
"unreadable" file from under "~buhr/public_html/" or a public FTP
space would likely make the file readable through the web or FTP
server.  I assume exclusionary ACLs would suffer from the same
problems, though.


Site Timeline