Home
About Download Documentation Wiki Forums Contribute Support
The Toolkit for Online Communities
15889 Community Members, 0 members online, 1674 visitors today 		Log In Register

Forum OpenACS Q&A: Response to unix user permissions: what is aolserver smoking?

OpenACS Home : Forums : OpenACS Q&A : Response to unix user permissions: what is aolserver smoking? : One Message

+
8: Response to unix user permissions: what is aolserver smoking? (response to 1)
Posted by Lamar Owen on 02/21/01 06:56 PM

NOTE: I formatted this as HTML in the web version. The e-mailed version may be broken.....

Ok, I have here a test for you to see that what's happening is indeed the 'proper' behavior (for various degress of 'proper' :-)). Here's the test directory ls -l:

[root@utility test]# ls -l
total 20
-rwsrwsrwx 1 aolserve lowen 9528 Feb 21 12:20 cat
-r-sr-sr-x 1 aolserve lowen 9264 Feb 21 12:20 id
-rw-rw---- 1 lowen aolserve 23 Feb 21 11:52 testfile1
-rw-rw---- 1 aolserve lowen 23 Feb 21 11:52 testfile2
drwxrwx--- 2 lowen aolserve 4096 Feb 21 11:52 testing
drwxrwx--- 2 aolserve lowen 4096 Feb 21 11:52 testing2
[root@utility test]#cat testfile1
testing suid/sgid junk
[root@utility test]

Testfile1 and testfile2 are identical.

Notice that I'm running as root, and the copy of /bin/cat in this directory is suid aolserver, sgid lowen. The uid aolserve that ls is reporting is actually the 8 char truncation of the username aolserver, and is not a member of the group lowen. So, when I execute './cat testfile1' in this dir (as _root_, no less), I get this result:

[root@utility test]# ./cat testfile1
./cat: testfile1: Permission denied

Ok, let's do another test. The 'id' command will show you all sorts of stuff about the current run user. So, I make a copy of id into the current directory, and make it suid/guid (mode 6555), owner aolserver.lowen. Running ./id gives me:

[root@utility test]# ./id
uid=0(root) gid=0(root) euid=501(aolserver) egid=500(lowen) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [root@utility test]#

Notice the 'euid' and 'egid' lines. I cannot use su to give me the combination of a user and group that are mutually exclusive, unfortunately, so I can't compare.

Now, let's make aolserver a member of lowen and see if executing './cat testfile1' can access the file now:

[root@utility test]# su aolserver
[aolserver@utility test]$ id
uid=501(aolserver) gid=501(aolserver) groups=501(aolserver),500(lowen) [aolserver@utility test]$ cat testfile1
testing suid/sgid junk
[aolserver@utility test]$ ./cat testfile1
testing suid/sgid junk
[aolserver@utility test]$exit
exit
[root@utility test]# ./cat testfile1
./cat: testfile1: Permission denied
[root@utility test]#

Hmmm. Let's try accessing testfile2, which has the same uid/gid owner as cat does:

[root@utility test]# ./cat testfile2
testing suid/sgid junk
[root@utility test]#

Yep, it works properly for exact matches.

Are you confused now? :-) Effective GID and UID don't follow the group membership, but only use the effective gid in following permissions, it appears. And, unless I cam badly mistaken, nsd uses the effective uid and gid settings.

But it's not nsd that's broken -- it's Linux/glibc, if you want to call the behavior 'broken'. Can someone with some other Unix test the above and see what happens?

This website is maintained by the OpenACS Community. Any problems, email webmaster or Submit a bug report.