security - CentOS: How to prevent a user from executing an application installed in a specific directory
2014-04
slayernoah
I have an application installed in /etc/mydir.
I have executed the following to remove the ability for users to execute this program.
chown root:group1 /etc/mydir -R
chmod 700 /etc/mydir -R
I created a new user and logged in as this user. The new user was not added to group1
However, I was able to execute this program by just typing the program name.
How can I stop users being able to run this using chmod and chown. Please let me know.
PS. the new users cannot cd into /etc/mydir but they can still execute using the program name.
Daniel Beck
You need to find out what actually happens when you type the name of the program:
Use which <programname> to determine the location of the executable that gets executed when you type <programname>, which will be the first hit when trying the directories listed in the PATH environment in order. Use echo $PATH to find out where the shell looks for executables to run.
And just to be sure that your (bash) shell does not interfere, run type <programname> to find out whether aliases or functions are defined.
These will tell you that you're not actually running a program from the inaccessible directory, but from somewhere else.
Roman
Do I correctly understand permission to directories in Linux/Unix?
If your directory has only
r(read) permission you are allowed to see the content of the directory (which files are located there) but you cannot do it because you cannot go (cd) to this directory (because of the absence ofxpermissions). You also cannot see the content of the directory (which files are located there) from outside of the directory (for example byls directoryname/*). You also will be unable to read (see) content of files located in such a directory usingcatandmorecommands (even if you have permissions to read these files). You also will be unable to modify (write) files (even if you have write permissions to them) if these files are located in such a directory (no matter what you trycat >>,echo >>,cpor some text editor). So, from my point of view, to have onlyrpermissions to a directory is equivalent to having absolutely no permissions to the directory.If your directory has only
x(execute) permissions you are allowed to go (cd) into the directory but you are not allowed to see (ls) the content of the directory (because you do not have permissions to read the directory). If a directory has onlyxpermission and it contains a file for which you haver(read) andw(write) permissions, you still well be unable to open this file with (at leas some) text editors (for examplemcedit). But you will be able to read context of the file using such commands ascatormore. You alls will be able to modify content of the file usingecho >>orcat >>. So, it seems to me, that it isxwhat allows users to "read" and "write" existing files in the directory (if files have the corresponding permissions too).If a directory has
randxpermissions but now(write) permissions, you cannot change content of the directory (set of files which are located there). For example you cannot create a new file there or remove existing in the directory. But you still are allowed to change content of existing files. So, you needwpermissions to create or remove files in the directory.Added:
It is also interesting to mention that
wpermission to the directory is necessary but not sufficient to create and delete files in the directory. If a directory has onlywpermission you will be unable to add/remove files from/to the directory. To be able to do so, you need to havexpermission to the directory (additionally towpermission).
hcs42
The question says:
If your directory has only "r" (read) permission you are allowed to see the content of the directory (which files are located there) but you cannot do it because you cannot go ("cd") to this directory (because of the absence of "x" permissions).
Yes, you can do it, you can see the list of files that are contained by the directory:
$ mkdir mydir
$ echo text > mydir/myfile
$ chmod a-wx mydir
$ ls -lA
total 4
dr--r--r-- 2 hcs hcs 4096 2010-02-28 22:12 mydir
$ ls -lA mydir
ls: cannot access mydir/myfile: Permission denied
total 0
-????????? ? ? ? ? ? myfile
But you won't access any other information from the file than its name, as the list shows.
ChrisF
From this page at Dartmouth college:
Remember that to read a file, you need execute access to the directory it is in AND read access to the file itself. To write a file, your need execute access to the directory AND write access to the file. To create new files or delete files, you need write access to the directory. You also need execute access to all parent directories back to the root. Group access will break if a parent directory is made completely private.
So from my reading of your question and this page, it looks like you've got it spot on.
Tom Wijsman
r permission gives access to the LIST of file names (but not metadata)
x permission gives access to file metadata (inode, size, owner, group, perms, etc.) (but no access to LIST of file names)
ls first enumerates the LIST of filenames, and then accesses the file metadata for each file. The metadata is accessed via stat.
Here are examples, imagine directory "example" containing file "data".
With r permissions:
cat /example/datawill fail (no access to file metadata)ls -lA examplewill partially succeed (access granted to LIST of file names, but not metadata)cd examplewill fail (current directory implies access to metadata which is not available)
With x permissions:
cat /example/datawill succeed (access to file metadata given) (access to LIST not required)ls -lA examplewill fail (no access to LIST of file names)cd examplewill succeedlswill fail (no access to LIST of file names)ls -l datawill succeed (access to metadata granted)