Score:2

Server

Can I rely on the 701 permissions to prevent users within the same group from messing with each other's data?

Col. Shrapnel

5/11/23, 6:18 PM

Some time ago I've learned that assigning all users to the same group and setting 701 to their home directories prevents them from messing with each other's data, yet lets a system program, such as a web-server, to access the data.

So I create a group users then two users, alice:users and bob:users with /opt/www/alice and /opt/www/bob home directories respectively. Then, after logging under alice I am unable to enter /opt/www/bob and vice versa.

So it seems to me that permissions aren't always checked for the every type (user, group, everyone) but rather gradually, essentially stopping after a negative match. I.e, in my case

when a user from the same group tries to open the directory:
- first, we are checking a user, it is not the same but 7 let us go further
- then 0 stops us from accessing the the directory and also stops the further permissions checking
- so we don't fall into x-for-everyone case from 1
while for a user from the the different group:
- first, we are checking a user, it is not the same but 7 let us go further
- then we are checking for a group, it is 0 but the group is different, so it let's us pass
- so we're able to open the directory thanks to 1 being "everyone" to this directory

Is this conjecture correct? Can I rely on this behavior? What are possible downsides from this setup?

0 + 0

security

linux

permissions

file-permissions

Appleoddity

5/11/23, 8:16 PM

Seems like you’re missing some information between “So I create users…” and “So it seems to me…” the former makes sense, the latter makes no sense based on the former.

Col. Shrapnel

5/11/23, 8:28 PM

@Appleoddity I apologize for the confusion, but isn't "after logging under alice I am unable to enter /opt/www/bob" being that missing link? Like "So I create users, then login under one and then, *being unable to enter each other's directory*, I suppose so and so..."?

Score:0

Server

shearn89

5/13/23, 9:02 AM

I think you've got it slightly wrong, but the outcome is the same. 701 means that:

the user marked as owner gets full permissions, 7
a user in the group marked as the group owner gets no permissions, 0
everyone gets execute permissions, 1

So if the owner & permissions on /opt/www/bob are bob:users and 701 respectively, then bob gets full permissions and everyone can 'execute' the directory. This means anyone would be able to access their own files or group owned files within the folder, but they can't list the contents.

Example:

$> mkdir test
$> echo 'foo' > test/foo.txt
$> chmod 100 test/
$> ls -l test/
Permission denied
$> cat test/foo.txt
foo
$>

So yes, other users in the group would have no permissions, but everyone has execute permissions. You'd be better to set the permissions to 740 if you want to allow the group to read and no one else. Or 741 to achieve what you have, but be a bit clearer?

0 + 0

Col. Shrapnel

5/13/23, 9:53 AM

The thing is, **I don't** want to allow the group to read

shearn89

5/13/23, 11:08 AM

Why not just set the ownership to `bob:bob` then?

Col. Shrapnel

5/13/23, 11:20 AM

because at the time I didn't know how to let a web server read the files with such permisions

Paul

5/13/23, 1:33 PM

@shearn89 In Ubuntu 18.04, 20.04 and Debian 10, `chmod 701 test/`, `sudo chown root test/`, `cat test/foo.txt` prints `cat: test/foo.txt: Permission denied`, `sudo chown root:www-data test/`, `cat test/foo.txt` prints `foo`. I don't have other Linux to test in.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can I rely on the 701 permissions to prevent users within the same group from messing with each other's data?

TH: ฉันจะใช้สิทธิ์ 701 เพื่อป้องกันไม่ให้ผู้ใช้ในกลุ่มเดียวกันยุ่งกับข้อมูลของกันและกันได้หรือไม่

RO: Mă pot baza pe permisiunile 701 pentru a împiedica utilizatorii din același grup să se amestece cu datele celuilalt?

RU: Могу ли я полагаться на разрешения 701, чтобы пользователи в одной группе не могли вмешиваться в данные друг друга?

VI: Tôi có thể dựa vào quyền 701 để ngăn người dùng trong cùng một nhóm làm hỏng dữ liệu của nhau không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.