security - CentOS: How to prevent a user from executing an application installed in a specific directory
2014-04
I have an application installed in /etc/mydir
.
I have executed the following to remove the ability for users to execute this program.
chown root:group1 /etc/mydir -R
chmod 700 /etc/mydir -R
I created a new user and logged in as this user. The new user was not added to group1
However, I was able to execute this program by just typing the program name.
How can I stop users being able to run this using chmod
and chown
. Please let me know.
PS. the new users cannot cd
into /etc/mydir
but they can still execute using the program name.
You need to find out what actually happens when you type the name of the program:
Use which <programname>
to determine the location of the executable that gets executed when you type <programname>
, which will be the first hit when trying the directories listed in the PATH
environment in order. Use echo $PATH
to find out where the shell looks for executables to run.
And just to be sure that your (bash
) shell does not interfere, run type <programname>
to find out whether aliases or functions are defined.
These will tell you that you're not actually running a program from the inaccessible directory, but from somewhere else.
Do I correctly understand permission to directories in Linux/Unix?
If your directory has only
r
(read) permission you are allowed to see the content of the directory (which files are located there) but you cannot do it because you cannot go (cd
) to this directory (because of the absence ofx
permissions). You also cannot see the content of the directory (which files are located there) from outside of the directory (for example byls directoryname/*
). You also will be unable to read (see) content of files located in such a directory usingcat
andmore
commands (even if you have permissions to read these files). You also will be unable to modify (write) files (even if you have write permissions to them) if these files are located in such a directory (no matter what you trycat >>
,echo >>
,cp
or some text editor). So, from my point of view, to have onlyr
permissions to a directory is equivalent to having absolutely no permissions to the directory.If your directory has only
x
(execute) permissions you are allowed to go (cd
) into the directory but you are not allowed to see (ls
) the content of the directory (because you do not have permissions to read the directory). If a directory has onlyx
permission and it contains a file for which you haver
(read) andw
(write) permissions, you still well be unable to open this file with (at leas some) text editors (for examplemcedit
). But you will be able to read context of the file using such commands ascat
ormore
. You alls will be able to modify content of the file usingecho >>
orcat >>
. So, it seems to me, that it isx
what allows users to "read" and "write" existing files in the directory (if files have the corresponding permissions too).If a directory has
r
andx
permissions but now
(write) permissions, you cannot change content of the directory (set of files which are located there). For example you cannot create a new file there or remove existing in the directory. But you still are allowed to change content of existing files. So, you needw
permissions to create or remove files in the directory.Added:
It is also interesting to mention that
w
permission to the directory is necessary but not sufficient to create and delete files in the directory. If a directory has onlyw
permission you will be unable to add/remove files from/to the directory. To be able to do so, you need to havex
permission to the directory (additionally tow
permission).
The question says:
If your directory has only "r" (read) permission you are allowed to see the content of the directory (which files are located there) but you cannot do it because you cannot go ("cd") to this directory (because of the absence of "x" permissions).
Yes, you can do it, you can see the list of files that are contained by the directory:
$ mkdir mydir
$ echo text > mydir/myfile
$ chmod a-wx mydir
$ ls -lA
total 4
dr--r--r-- 2 hcs hcs 4096 2010-02-28 22:12 mydir
$ ls -lA mydir
ls: cannot access mydir/myfile: Permission denied
total 0
-????????? ? ? ? ? ? myfile
But you won't access any other information from the file than its name, as the list shows.
From this page at Dartmouth college:
Remember that to read a file, you need execute access to the directory it is in AND read access to the file itself. To write a file, your need execute access to the directory AND write access to the file. To create new files or delete files, you need write access to the directory. You also need execute access to all parent directories back to the root. Group access will break if a parent directory is made completely private.
So from my reading of your question and this page, it looks like you've got it spot on.
r
permission gives access to the LIST of file names (but not metadata)
x
permission gives access to file metadata (inode, size, owner, group, perms, etc.) (but no access to LIST of file names)
ls
first enumerates the LIST of filenames, and then accesses the file metadata for each file. The metadata is accessed via stat
.
Here are examples, imagine directory "example" containing file "data".
With r
permissions:
cat /example/data
will fail (no access to file metadata)ls -lA example
will partially succeed (access granted to LIST of file names, but not metadata)cd example
will fail (current directory implies access to metadata which is not available)
With x
permissions:
cat /example/data
will succeed (access to file metadata given) (access to LIST not required)ls -lA example
will fail (no access to LIST of file names)cd example
will succeedls
will fail (no access to LIST of file names)ls -l data
will succeed (access to metadata granted)