[Chicago-talk] chown inside a script
Brian Katzung
briank at kappacs.com
Thu Dec 6 13:57:30 PST 2007
Jay et al,
I'm not sure about the "easier" part, but I would probably do something
like this:
- Create a queue directory for each employee, e.g.
/some/path/closed/{emp1,emp2,emp3}
with access by managers (you)
- When you "close" the employees' files in your app, save them to the
appropriate employee queue
- Have a root script monitor the queue tree (you could use "fam" (file
alteration monitor) API or roll your own)
- When plain files appear in the employee queues, the root script would
move them to some standardized place (e.g. to ~emp/my_app_closed_files/)
with appropriate checks for file (directory) types, name collisions,
etc. and chown them.
- Brian
Jay Strauss wrote:
> Hi All,
>
> I figured if I showed my hand, everyone would call me a crazy person
> with an insecure system (which I'm not denying).
>
> Here's the deal:
>
> I run a MS application to which the files are stored on my samba
> server. Currently, when a user creates a file, that user/owner is the
> only user with read (and write) access to said file. BUT, when the
> file is "closed", I (me), the manager, use the application to move the
> file from one "folder" to a different "folder". Behind the scenes the
> app, copies the file from one directory to another, and deletes the
> original.
>
> As a result, I (jstrauss), become the owner of the file, and the
> person who created it, no longer has access. I want to retain the
> original ownership, so that the creator can still look at the file
> (but no one else can).
>
> So I wrote a cgi to change ownership, rather than sshing to the box,
> cd'ing to the directory, looking up the filename in the application,
> and then chown'ing filname*, everytime someone wants to see a "closed"
> file.
>
> If there are better, easier, more secure ways to do this I'd welcome
> suggestions. Please NOTE, the webserver is an internal webserver
> (behind my firewall), and my company includes me and 3 employees
> (really only 2.5 if you measured productivity :).
>
> Jay
>
>
>
> On Dec 6, 2007 9:59 AM, Ted Zlatanov <tzz at lifelogs.com> wrote:
>> On Wed, 05 Dec 2007 22:38:10 -0600 Jonathan Rockway <jon at jrock.us> wrote:
>>
>> JR> On Wed, 2007-12-05 at 22:28 -0600, Jay Strauss wrote:
>>>> Thanks.
>>>>
>>>> But I don't think that will work in my case, because I'm doing it from
>>>> a web page, I had to create an suid link to chown, to call from my
>>>> cgi.
>>>>
>>>> Unless there is some way to do it from inside perl, but still change
>>>> ownership of file not owned by the webserver.
>> JR> This is a massive security nightmare. Consider the case where someone
>> JR> symlinks /path/that/matches/your.glob to /etc/shadow. You've just
>> JR> rendered the system unusable.
>>
>> JR> Also, keep in mind that you can't create a "setuid link". chmod follows
>> JR> symlinks and updates the original file.
>>
>> I think chroot to a known good path that contains only data files (plus
>> a minimal chown setup) would work. Symlinks to the outside won't
>> resolve inside such an environment. Hard links will, if the filesystem
>> was shared, so don't put the data files on the /etc filesystem. The
>> worst an attacker could do is corrupt the data inside the chroot
>> environment. It's a pain to set it all up, though.
>>
>> Ted
>>
>> _______________________________________________
>> Chicago-talk mailing list
>> Chicago-talk at pm.org
>> http://mail.pm.org/mailman/listinfo/chicago-talk
>>
> _______________________________________________
> Chicago-talk mailing list
> Chicago-talk at pm.org
> http://mail.pm.org/mailman/listinfo/chicago-talk
>
>
--
Brian Katzung, Kappa Computer Solutions, LLC
Leveraging UNIX, GNU/Linux, open source, and custom
software solutions for business and beyond
Phone: 877.367.8837 x1 http://www.kappacs.com
More information about the Chicago-talk
mailing list