Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > savely change permission and group on files

Reply
Thread Tools

savely change permission and group on files

 
 
Lars Madsen
Guest
Posts: n/a
 
      02-22-2006
Hi,

I have a small problem here. We have a special directory on our file
system (Linux) where a lot of people are writing to (mostly HTML pages,
no we do not have a CMS, this low tech is fine for now).

Now we also have some secretaries who can help edit these files. The
problems is of course permissions, secretary B need to be able to edit
the files owned by user A.

Solution: Put the necessary people in a special group and make sure that
the files are writable for that group. That's fine, but people tend to
forget setting permissions or changing groups, so I'd like to have a
cron job that goes through all files in a specific directory and set the
group and permissions on all files in this directory-tree.

That's easy to do, well sort of. The problem is of course that this cron
job has to run as root (or similar) and then we are vulnerable to user
input, as in file names such as 'file.html;rm -rf /'

So my question is this: how can one safely change the group and group
permissions in such a case as this. Or more generally how can one run
system commands safely on potentially dangerous data?

/daleif
 
Reply With Quote
 
 
 
 
Anno Siegel
Guest
Posts: n/a
 
      02-22-2006
Lars Madsen <(E-Mail Removed)> wrote in comp.lang.perl.misc:
> Hi,
>
> I have a small problem here. We have a special directory on our file
> system (Linux) where a lot of people are writing to (mostly HTML pages,
> no we do not have a CMS, this low tech is fine for now).
>
> Now we also have some secretaries who can help edit these files. The
> problems is of course permissions, secretary B need to be able to edit
> the files owned by user A.
>
> Solution: Put the necessary people in a special group and make sure that
> the files are writable for that group. That's fine, but people tend to
> forget setting permissions or changing groups, so I'd like to have a
> cron job that goes through all files in a specific directory and set the
> group and permissions on all files in this directory-tree.
>
> That's easy to do, well sort of. The problem is of course that this cron
> job has to run as root (or similar) and then we are vulnerable to user
> input, as in file names such as 'file.html;rm -rf /'
>
> So my question is this: how can one safely change the group and group
> permissions in such a case as this. Or more generally how can one run
> system commands safely on potentially dangerous data?


Firstly, a file name like that is only dangerous if you let a shell
interpret it. "chmod" by itself will fail, or change the permissions
if you managed to create a file of that name. So use the list form
of system(), which doesn't employ a shell. perldoc -f system.

Secondly, you don't need an external command at all to change the
file group. perldoc -f chown.

Thirdly, though this has nothing to do with Perl, you can set the group
of the enclosing directory to the common one and set its sgid bit. Under
Linux (and other BSD-derived systems) files and directories created in
that directory will be in the same group per default. man chmod.

Anno
--
If you want to post a followup via groups.google.com, don't use
the broken "Reply" link at the bottom of the article. Click on
"show options" at the top of the article, then click on the
"Reply" at the bottom of the article headers.
 
Reply With Quote
 
 
 
 
Aaron Baugher
Guest
Posts: n/a
 
      02-22-2006
Lars Madsen <(E-Mail Removed)> writes:

> Solution: Put the necessary people in a special group and make sure
> that the files are writable for that group. That's fine, but people
> tend to forget setting permissions or changing groups, so I'd like
> to have a cron job that goes through all files in a specific
> directory and set the group and permissions on all files in this
> directory-tree.


Not really a perl problem:

#!/bin/sh
if cd /wherever; then
chgrp -R ourgroup .
chmod -R g+rw .
fi


--
Aaron -- http://www.velocityreviews.com/forums/(E-Mail Removed)
http://360.yahoo.com/aaron_baugher
 
Reply With Quote
 
Lars Madsen
Guest
Posts: n/a
 
      02-22-2006

>
> Firstly, a file name like that is only dangerous if you let a shell
> interpret it. "chmod" by itself will fail, or change the permissions
> if you managed to create a file of that name. So use the list form
> of system(), which doesn't employ a shell. perldoc -f system.
>


ok

> Secondly, you don't need an external command at all to change the
> file group. perldoc -f chown.
>


I know

> Thirdly, though this has nothing to do with Perl, you can set the group
> of the enclosing directory to the common one and set its sgid bit. Under
> Linux (and other BSD-derived systems) files and directories created in
> that directory will be in the same group per default. man chmod.
>


hmm, never even thought of that

thanks

/daleif
 
Reply With Quote
 
Jürgen Exner
Guest
Posts: n/a
 
      02-22-2006
Lars Madsen wrote:
[...]
> Now we also have some secretaries who can help edit these files. The
> problems is of course permissions, secretary B need to be able to edit
> the files owned by user A.
>
> Solution: Put the necessary people in a special group and make sure
> that the files are writable for that group. That's fine, but people
> tend to forget setting permissions or changing groups,


Why not set the SetGUID bit on the directory?

> so I'd like to
> have a cron job that goes through all files in a specific directory
> and set the group and permissions on all files in this directory-tree.


[complicated proposal snipped]

jue


 
Reply With Quote
 
Lars Madsen
Guest
Posts: n/a
 
      02-22-2006
Aaron Baugher wrote:
> Lars Madsen <(E-Mail Removed)> writes:
>
>> Solution: Put the necessary people in a special group and make sure
>> that the files are writable for that group. That's fine, but people
>> tend to forget setting permissions or changing groups, so I'd like
>> to have a cron job that goes through all files in a specific
>> directory and set the group and permissions on all files in this
>> directory-tree.

>
> Not really a perl problem:
>
> #!/bin/sh
> if cd /wherever; then
> chgrp -R ourgroup .
> chmod -R g+rw .
> fi
>


yes that's true, but real life is of cource not as simple as the case I
described.

One problem with this is that it allows users to create directories in
/whatever (creating them in subdirectories are fine) which we don't want.

I'll find some compromise

/daleif




 
Reply With Quote
 
Aaron Baugher
Guest
Posts: n/a
 
      02-22-2006
Lars Madsen <(E-Mail Removed)> writes:

> Aaron Baugher wrote:
>> Not really a perl problem:
>> #!/bin/sh
>> if cd /wherever; then
>> chgrp -R ourgroup .
>> chmod -R g+rw .
>> fi
>>


> yes that's true, but real life is of cource not as simple as the
> case I described.


> One problem with this is that it allows users to create directories
> in /whatever (creating them in subdirectories are fine) which we
> don't want.


So add the line 'chmod g-w .' right before the 'fi' line to remove
group write permissions from the top directory.


--
Aaron -- (E-Mail Removed)
http://360.yahoo.com/aaron_baugher
 
Reply With Quote
 
Lars Madsen
Guest
Posts: n/a
 
      02-23-2006

> Huh? I don't get it. Why would you be vulnerable if you're doing something
> simple as changing the permissions of files?
>


if one (by mistake) runs sys commands on unchecked data

as in doing a naive delete of a file named '-rf /'


/daleif
 
Reply With Quote
 
Michael Greb
Guest
Posts: n/a
 
      02-23-2006
In article <(E-Mail Removed)>,
Abigail <(E-Mail Removed)> wrote:

> Lars Madsen ((E-Mail Removed)) wrote on MMMMDLIX September MCMXCIII in
> <URL:news:43fcfe5c$0$11674$(E-Mail Removed) a.net>:
> ??
> ?? > Huh? I don't get it. Why would you be vulnerable if you're doing
> something
> ?? > simple as changing the permissions of files?
> ?? >
> ??
> ?? if one (by mistake) runs sys commands on unchecked data
>
> If you are afraid you make mistakes like that, you shouldn't program
> at all. There's no defence.
>
> ?? as in doing a naive delete of a file named '-rf /'
>
>
> Huh? A native delete of a file in Perl is quite safe, and spelled 'unlink'.


'native' ne 'naive'
 
Reply With Quote
 
Juha Laiho
Guest
Posts: n/a
 
      02-23-2006
Lars Madsen <(E-Mail Removed)> said:
>I have a small problem here. We have a special directory on our file
>system (Linux) where a lot of people are writing to (mostly HTML pages,
>no we do not have a CMS, this low tech is fine for now).
>
>Now we also have some secretaries who can help edit these files. The
>problems is of course permissions, secretary B need to be able to edit
>the files owned by user A.


The 'chmod g+s' solution is pretty much correct. The only potential problem
is someone who sets their umask (file creation mask) to a too strict
value (f.ex. 066, to prohibit all acess to created files from everyone
but the creator).

Depending on your Linux distribution, it may support a more sophisticated
way to control file access, called ACLs (access control lists). These
can be defined to be inherited by newly created objects, and can be set
to provide required level of access - and this solution should be
resistent to the umask "problem" described above.

This message is crossposted in comp.os.linux.misc, and followups are
directed to the same; if you need further help with the ACLs (they
can be a pain..), please continue in that group.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
permission/ access right for different group (help~) -_- Java 0 03-07-2010 07:31 AM
Fixed: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {555F3418-D99E-4E51-800A-6E89CFD8B1D7} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). Skybuck Flying Windows 64bit 1 06-29-2009 06:17 PM
Changing group permission using java in unix Sidhartha Java 2 07-07-2008 07:38 PM
A Paradise DNS address change? What change? There was no change. Tony Neville NZ Computing 7 09-22-2006 01:02 PM
CGI Python user/group permission weirdness Aienthiwan Python 2 01-19-2004 05:49 PM



Advertisments