Re: File/Directory Permissions and Security

["Pierre A. Humblet" <pierre dot humblet at ieee dot org>]

On Sat, Apr 12, 2003 at 01:20:08AM -0400, L. Li wrote:
> Hi,
> 
> I'm a Cygwin and Unix newbie (kinda anyway - it's my first time
> administrating). I recently set up an openSSH server on my box via Cygwin
> and I'm trying to set up proper file/directory permissions. I called a
> recursive chmod so that only the owners of each object can write, while all
> others can only read and execute.
> 
> After doing this, I went to verify that this was the case and logged in
> under a user that was not the owner of anything but his home directory. The
> home directory permissions worked great. Only he had write access. However,
> outside of that, he could write to any directory he wanted to (except for
> the root C and D hard drives - don't know why). I'm wondering what I have to
> do to revoke write access to directories once I've ssh'ed into my box. Once
> I can get this basic policy up, I'll tamper with more specific permissions
> on a per object basis. But right now I can't seem to get this working.

Access is controlled by ACLs that may have more entries than just for owner,
group and everyone. "ls -l" displays a "+" when this is the case. 
You can observe the acl with "getfacl" or "cacls". 

chmod does not affect the permissions of the extraneous groups, but you can
change or remove them with "setfacl" or the Windows security GUI.

If you use setfacl on a directory, I highly recommend that you specify default
permissions for owner, group and everyone. Otherwise files created by non-cygwin 
applications may have unexpected permissions.

Pierre

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/