• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

read only directory

 
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I logged into a Linux m/x as a root user and created a directory, set the permission to readonly by running chmod 400 export.

dr-------- 2 root root 4096 Jul 12 16:48 export


Even thought it is a read-only directory, I could create files and directories within it. I am surprsied. Explantions ?

thanks,Pradip
 
Ranch Hand
Posts: 959
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
File permissions don't apply to the root user.
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks. I didn't know that.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just wait until you turn on SELinux! Up until then, root is all-powerful.
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Tim Holloway:
Just wait until you turn on SELinux! Up until then, root is all-powerful.



How do I turn on SELinux ? How does it work differently. Thank you
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Legacy Unix recognizes only a limited set of access control rules. Basically, read/write/execute for owner/group/guest users.

SeLinux was designed to provided a finer-grade set of access rules, similar to the level of refinement you get from systems like Windows NT, but with better attention to locking things down by default. For example, you might permit user "apache" to be able to modify the apache config files, but allow root to only view them. In a non-SeLinux system, root can do anything to anybody.

selinux comes available with a lot of current-generation Linux distros. I think that the Red Hat Enterprise releases have it turned on by default, since servers are especially vulnerable to exploitation.

It would take too much time to explain in detail, but here's a good starting point: http://en.wikipedia.org/wiki/SELinux

In RHEL, the specialized security users, groups, and rules are mostly provided by Red Hat as part of the package installs. RHEL 5 is suppsed to have come up with a management console app that makes it easier for you to set up and control your own rules.

Two useful things to know where you work with selinux:

ls -Z will show the filesystem object's selinux attributes. You can stack it with traditional ls options (for example: ls -lZh /var/www).

The program that allows you to set selinux attributes (a la chmod) is called "chcon". Which I can never remember. Only use if if you are very brave, however, since you can potentially lock yourself out of critical system controls. Most of the chcon stuff is done by selinux-aware package installers, so you won't have to.
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim.

SeLinux was designed to provided a finer-grade set of access rules, similar to the level of refinement you get from systems like Windows NT, but with better attention to locking things down by default. For example, you might permit user "apache" to be able to modify the apache config files, but allow root to only view them. In a non-SeLinux system, root can do anything to anybody.



It is the root user who defines the access rules?
 
Tim Holloway
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Pradip Bhat:
Thanks Tim.



It is the root user who defines the access rules?



Ouch! It shames me to admit that I'm not enough of an expert to give the One True Answer. Although I've never figured out quite why, Selinux has always been more trouble to figure out than the Windows NT security system. Then again, I just did a quick RTFM. Selinux covers a lot more resources than just files, and there's various arrangements that make it even more comples. Mostly I keep track of just enough of it to get by - until someone pays me to do some serious Linux security work, that's all I can spare time for.

It's not so much who is allowed to define policies, however, as who can actually install and activate them. And unless things are really unusual there, it would be whomever holds the selinux security role that permits use of those tools. Which might or might not actually be a root user.

Anyway, I found this interesting little site that looks to be a bit easier to follow than most: http://equivocation.org/selinux
 
Pradeep bhatt
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Tim. The link is really useful.
 
reply
    Bookmark Topic Watch Topic
  • New Topic