[964] in linux-security and linux-alert archive
Re: Fwd: [linux-security] security idea
daemon@ATHENA.MIT.EDU (Robert Nichols)
Fri Jul 26 04:48:47 1996
Date: Thu, 25 Jul 96 18:03 CDT
From: rnichols@interaccess.com (Robert Nichols)
To: daniel@fiction.pb.owl.de, iang@cs.berkeley.edu
Cc: linux-security@tarsier.cv.nrao.edu
On Thu, 25 Jul 1996 "Daniel Roedding" <daniel@fiction.pb.owl.de> wrote
>
>Ian Goldberg wrote:
>
>> In /etc/group:
>
>> lusers::6969:lightman,mitnick
>
>> Your programs:
>
>> -r-s---r-x 1 root lusers 9397 Aug 8 1995 /usr/bin/traceroute
>
>> (Make sure your "newgrp" program doesn't drop your supplementary groups...)
>
>I'm not quite sure if all Linux versions handle this properly, but
>certainly many "commercial" Unix boxes won't, because they first
>check the "world" access rights and then "add" group specific ones.
>So you can use group specific access rights only to give members
>of a certain group *more* rights than the rest of the world, but
>not to *exclude* them.
That's exactly wrong for every Unix system I've ever used. If you
are the owner, you get the "owner" permissions and no others. If
you are not the owner but are a member of the group, you get the
"group" permissions and no others. If you are not the owner and
are not a member of the group, you get the "world" permissions.
--
Bob Nichols rnichols@interaccess.com